Jackson Core Wrong checksums in module.json (2.15.0, 2.15.1)

check:

$ for v in 2.14.3 2.15.0-rc1 2.15.0-rc2 2.15.0-rc3 2.15.0 2.15.1 ; do
  base="https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/$v"
  echo "$v: $base"
  curl -s $base/jackson-core-$v.module | grep md5 | tail -1
  curl -s $base/jackson-core-$v.jar | md5sum
done

gives following results:

2.14.3: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.14.3
          "md5": "abb25b80cda20ddc2cd3bbd8fccd0d34"
abb25b80cda20ddc2cd3bbd8fccd0d34  -
2.15.0-rc1: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc1
          "md5": "f025e63d6acf12f6ab7a9395b2e7839f"
22a62f740a8ae4d18f92fd046d430c33  -
2.15.0-rc2: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc2
          "md5": "2fa06351c3e0b189188ea52dd6bed370"
ba468eaacf916f088c5416d2a78ddbc1  -
2.15.0-rc3: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc3
          "md5": "7ce0e69a172f3fc5fdbe17084d41db7"
9880100f0b6076fe1f405182a93b4bb0  -
2.15.0: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0
          "md5": "6791b06af1f5268de81b4002e2e5753b"
884fa0e39483933acc1168184c002bb9  -
2.15.1: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.1
          "md5": "a01d167430c8ccd5635ce0a74c5a7e30"
48a8701b4f142e2fe3b8cae07a2af4d2  -

checksum in module.json was ok in 2.14.3 (and previously: I checked older releases), but since early 2.15 rc, it's broken

looking at build output:

[INFO] --- moditect-maven-plugin:1.0.0.Final:add-module-info (add-module-infos) @ jackson-core ---
[INFO] 
[INFO] --- gradle-module-metadata-maven-plugin:0.4.0:gmm (default) @ jackson-core ---
[INFO] 
[INFO] --- maven-shade-plugin:3.4.1:shade (shade-jackson-core) @ jackson-core ---
...
[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /var/maven/app/target/jackson-core-2.15.1.jar with /var/maven/app/target/jackson-core-2.15.1-shaded.jar

need to switch order between shade and gmm goals as gmm does not fingerprint the jar file that is published = the shaded one

Comment From: hboutemy

notice: bug found while checking Reproducible Builds https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/fasterxml/jackson/core/README.md now that the jar itself is reproducible (after https://github.com/FasterXML/oss-parent/pull/75 ), this new issue becomes more visible

Comment From: hboutemy

fix is simply about changing order of 2 plugins in pom.xml https://github.com/FasterXML/jackson-core/blob/2.16/pom.xml#L163

Comment From: cowtowncoder

Merged the fix -- help with verification would be much appreciated.

One question: it looks like maven-jar-plugin comes after GMM plugin; is that problematic? I assume not (checksum only on classes?), but wanted to ask since I think some artifacts are still modified after it.

Comment From: hboutemy

@cowtowncoder mvn buildplan:list is your friend to easily see the build plan without executing it

it gives now

package                | maven-jar-plugin                    | 3.3.0       | jar               | default-jar           
process-resources      | moditect-maven-plugin               | 1.0.0.Final | add-module-info   | add-module-infos      
package                | maven-shade-plugin                  | 3.4.1       | shade             | shade-jackson-core    
package                | gradle-module-metadata-maven-plugin | 0.4.0       | gmm               | default               
package                | maven-site-plugin                   | 3.12.1      | attach-descriptor | attach-descriptor     
package                | find-and-replace-maven-plugin       | 1.1.0       | find-and-replace  | exec                  
install                | maven-install-plugin                | 3.1.0       | install           | default-install       

everything looks fine: - jar creates the original jar - moditect add a module info to the jar - shades replaces the jar with a shaded one - gmm creates the Gradle module.json that references the previous jar (that won't be modified any more) - site attach descriptor - find-and-reploace updates the pom files that will be pushed to Central: given it has not been fingerprinted by gmm, it's ok to do it here

Comment From: hboutemy

(notice: I see that the phase column in buildplan:list is sometimes wrong, but that has no impact, the order is the effective one, it's just the guessing of why execution happens that is a little buggy: while at it, issue opened https://github.com/mojohaus/buildplan-maven-plugin/issues/183 )

Comment From: cowtowncoder

@hboutemy Thanks. It is good to get verification since I do not think I can necessarily validate that any given ordering is correct wrt processing (do not know the parts intimately enough to have strong opinion).

Comment From: hboutemy

FYI, I was able to reproduce Jackson-core 2.15.2 https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/fasterxml/jackson/core/README.md (will be updated tonight)

what a great result!

other artifacts have some unexpected small issues, I'll continue to investigate

Comment From: cowtowncoder

@hboutemy Thank you for verifying jackson-core! Looking forward to reports on remaining issues.

Comment From: reto-hoehener

Would love to have a version with this fix.

Comment From: pjfanning

Would love to have a version with this fix.

• Maven Central won't let you can't change a release once released
• if the issue is still happening in 2.19.1, we can investigate why the values are still be generated incorrectly

Comment From: reto-hoehener

I'm sorry I intended to ask this in https://github.com/mojohaus/buildplan-maven-plugin/issues/183, but must have followed the link here.