Problem with typesafe repository and javax servlet-api-2.5.jar?

94 views
Skip to first unread message

John C

unread,
Dec 20, 2011, 2:46:48 PM12/20/11
to simple-build-tool
It appears that the javax servlet-api-2.5.jar hosted by typesafe is
bad in some way (the SHA1 does not match).

[warn] [FAILED ] javax.servlet#servlet-api;2.5!servlet-api.jar:
invalid sha1: expected=5959582d97d8b61f4d154ca9e495aafd16726e34
computed=e69999122202bb1c275a80ad3281c4f69f2ea0b2 (1024ms)
[warn] [FAILED ] javax.servlet#servlet-api;2.5!servlet-api.jar:
invalid sha1: expected=5959582d97d8b61f4d154ca9e495aafd16726e34
computed=e69999122202bb1c275a80ad3281c4f69f2ea0b2 (1024ms)
[warn] ==== Typesafe Repository: tried
[warn] http://repo.typesafe.com/typesafe/releases/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar

. . .

[warn] ::::::::::::::::::::::::::::::::::::::::::::::
[warn] :: FAILED DOWNLOADS ::
[warn] :: ^ see resolution messages for details ^ ::
[warn] ::::::::::::::::::::::::::::::::::::::::::::::
[warn] :: javax.servlet#servlet-api;2.5!servlet-api.jar
[warn] ::::::::::::::::::::::::::::::::::::::::::::::
[error] {file:/Users/j/git/code/}/*:update: sbt.ResolveException:
download failed: javax.servlet#servlet-api;2.5!servlet-api.jar

----------------

I'm using the following resolver in my build.sbt:
resolvers ++= Seq("Typesafe Repository" at "http://repo.typesafe.com/
typesafe/releases/")

I Manually downloading the files (from
http://repo.typesafe.com/typesafe/releases/javax/servlet/servlet-api/2.5/)
and I can confirm that the provided sha1 does not match the expected
value.

:/tmp$ sha1sum servlet-api-2.5.jar
e69999122202bb1c275a80ad3281c4f69f2ea0b2 servlet-api-2.5.jar

:/tmp$ cat servlet-api-2.5.jar.sha1
5959582d97d8b61f4d154ca9e495aafd16726e34

But the md5sum does match:
:/tmp$ md5sum servlet-api-2.5.jar
116fc16f3f700d756a57a2b8ea7c1044 servlet-api-2.5.jar

:/tmp$ cat servlet-api-2.5.jar.md5
116fc16f3f700d756a57a2b8ea7c1044

I then downloaded the same jar file and .sha1 file from ibiblio at
http://mirrors.ibiblio.org/pub/mirrors/maven2/javax/servlet/servlet-api/2.5/

Now the sha1 values match, as do the md5sums, but the md5sums are
different.

To summarize, the servlet-api-2.5.jar is clearly different in size and
sha1/md5.

servlet-api-2.5.jar (typesafe repo): 105334 bytes
SHA1: e69999122202bb1c275a80ad3281c4f69f2ea0b2 servlet-api-2.5.jar
MD5: 116fc16f3f700d756a57a2b8ea7c1044 servlet-api-2.5.jar

servlet-api-2.5.jar.sha1 (typesafe repo)
5959582d97d8b61f4d154ca9e495aafd16726e34

servlet-api-2.5.jar.md5 (typesafe repo)
116fc16f3f700d756a57a2b8ea7c1044

servlet-api-2.5.jar (ibibilio repo): 105112 bytes
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34 servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f servlet-api-2.5.jar

servlet-api-2.5.jar.sha1 (ibiblio repo)
5959582d97d8b61f4d154ca9e495aafd16726e34

servlet-api-2.5.jar.md5 (ibiblio repo)
69ca51af4e9a67a1027a7f95b52c3e8f

Has anyone run into this problem? I've checked in a few other places
and the type safe version seems to be the outlier. Is their version
known to be different and their sha1 was not updated or is there
something else that's broken?

Thanks,
John

Paul Phillips

unread,
Dec 20, 2011, 4:07:56 PM12/20/11
to simple-b...@googlegroups.com
On Tue, Dec 20, 2011 at 11:46 AM, John C <ciesl...@gmail.com> wrote:
> It appears that the javax servlet-api-2.5.jar hosted by typesafe is
> bad in some way (the SHA1 does not match).

The contents of the typesafe jar and the ibiblio jar are definitely
different. However a look at the manifest indicates to me that
typesafe is the one with the legitimate jar. Here is the diff (there
are other differences too.) But ours is created by "Sun Microsystems"
and the ibiblio one is created by "Apache Maven".


diff --git a/META-INF/MANIFEST.MF b/META-INF/MANIFEST.MF
index 7945998731..daa149243a 100644
--- a/META-INF/MANIFEST.MF
+++ b/META-INF/MANIFEST.MF
@@ -1,13 +1,12 @@
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.6.5
-Created-By: Apache Maven
-Built-By: edburns
-Package:
-Build-Jdk: 1.5.0_06
-Extension-Name: servlet-api
-Specification-Title: A component of the Glassfish Application Server
-Specification-Vendor: Sun Microsystems Inc
-Implementation-Title:
-Implementation-Vendor: Sun Microsystems Inc
+Created-By: 1.5.0_09-b03 (Sun Microsystems Inc.)
+Extension-Name: javax.servlet
+Specification-Title: JavaServlet(TM) Specification
+Specification-Version: 2.5
+Specification-Vendor: Sun Microsystems, Inc.
Implementation-Version: 2.5
+Implementation-Vendor: Sun Microsystems, Inc.
+Implementation-Vendor-Id: org.apache
+Implementation-Title: Sun Java System Application Server

Paul Phillips

unread,
Dec 20, 2011, 4:43:24 PM12/20/11
to simple-b...@googlegroups.com
However, it looks like we have a sha file which matches the ibiblio
jar, not the one next to it. I wonder how something like that
happens. I'll look into it.

Peter Vlugter

unread,
Dec 20, 2011, 6:38:53 PM12/20/11
to simple-b...@googlegroups.com

On 21/12/2011, at 8:46 AM, John C wrote:

> It appears that the javax servlet-api-2.5.jar hosted by typesafe is
> bad in some way (the SHA1 does not match).

This came from an older proxied repository (cache of the jboss repository).

I've updated the jboss cache on repo.typesafe.com and the servlet-api jar should be resolved via the repo1.maven.org cache now.

Thanks,
Peter

John C

unread,
Dec 21, 2011, 1:20:03 PM12/21/11
to simple-build-tool
Thanks, that resolved the problem!

John
Reply all
Reply to author
Forward
0 new messages