update to version 0.8.5 release of besu-native
macfarla opened this issue · comments
this is blocked right now because DCO check is not responding
it seems that most recent commit to besu-native hyperledger/besu-native#169 has updated the 0.8.4 release artifacts. hence right now the dependency check is failing in GHA
> Could not create task ':ethereum:referencetests:executionSpecTests'.
> Dependency verification failed for configuration ':ethereum:referencetests:tarConfig'
10 artifacts failed verification:
- arithmetic-0.8.4.jar (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- arithmetic-0.8.4.module (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- blake2bf-0.8.4.jar (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- blake2bf-0.8.4.module (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- bls12-381-0.8.4.jar (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- bls12-381-0.8.4.module (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- secp256k1-0.8.4.jar (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256k1-0.8.4.module (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256r1-0.8.4.jar (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
- secp256r1-0.8.4.module (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
This can indicate that a dependency has been compromised. Please carefully verify the checksums.
I think the problem has occurred, because gradle.properties still has 0.8.4 version - was not updated to 0.8.5-SNAPSHOT after this release hyperledger/besu-native@74cf995
LFR 0.8.5 release for besu-native hyperledger/besu-native#171
then LFR prep 0.8.6 release for besu-native hyperledger/besu-native#172
and then we will need to update dependencies in besu to 0.8.5 versions of native libs
looks like DCO bot is non-responsive so this is blocked. If this is resolved in the next few hrs, would be great if someone else could pick this up - next step is to update dependencies for the native libs in besu to 0.8.5 version
for reference - this is when the dependencies were updated to 0.8.4 https://github.com/hyperledger/besu/pull/7053/files#diff-f99e770fad89ddc92545ae5716f24cdf483f0a74af024552fadfb42425a7e484
Same problem here!
ethereum@ethereum-holesky-02:~/besu$ ./gradlew installDist
> Configure project :
Generating project version as supplied is version not semver: unspecified
FAILURE: Build failed with an exception.
* Where:
Build file '/home/ethereum/besu/ethereum/referencetests/build.gradle' line: 74
* What went wrong:
Could not determine the dependencies of task ':installDist'.
> Could not resolve all dependencies for configuration ':runtimeClasspath'.
> Could not create task ':ethereum:referencetests:executionSpecTests'.
> Dependency verification failed for configuration ':ethereum:referencetests:tarConfig'
10 artifacts failed verification:
- arithmetic-0.8.4.jar (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- arithmetic-0.8.4.module (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- blake2bf-0.8.4.jar (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- blake2bf-0.8.4.module (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- bls12-381-0.8.4.jar (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- bls12-381-0.8.4.module (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- secp256k1-0.8.4.jar (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256k1-0.8.4.module (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256r1-0.8.4.jar (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
- secp256r1-0.8.4.module (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
This can indicate that a dependency has been compromised. Please carefully verify the checksums.
Open this report for more details: file:///home/ethereum/besu/build/reports/dependency-verification/at-1717492364772/dependency-verification-report.html
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.7/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD FAILED in 1sJava 21 used here
Affecting the goevmlab docker build too
#30 [java-builder 4/5] RUN cd besu && ./gradlew --parallel ethereum:evmtool:installDist
#30 0.347 Downloading https://services.gradle.org/distributions/gradle-8.7-bin.zip
#30 1.925 ............10%.............20%.............30%.............40%............50%.............60%.............70%.............80%.............90%............100%
#30 9.157 Starting a Gradle Daemon (subsequent builds will be faster)
#30 46.26
#30 46.27 > Configure project :
#30 46.27 Generating project version as supplied is version not semver: unspecified
#30 122.8
#30 122.8 FAILURE: Build failed with an exception.
#30 122.8
#30 122.8 * Where:
#30 122.8 Build file '/besu/ethereum/referencetests/build.gradle' line: 74
#30 122.8
#30 122.8 * What went wrong:
#30 122.8 Could not determine the dependencies of task ':ethereum:evmtool:installDist'.
#30 122.8 > Could not resolve all dependencies for configuration ':ethereum:evmtool:runtimeClasspath'.
#30 122.8 > Could not create task ':ethereum:referencetests:executionSpecTests'.
#30 122.8 > Dependency verification failed for configuration ':ethereum:referencetests:tarConfig'
#30 122.8 10 artifacts failed verification:
#30 122.8 - arithmetic-0.8.4.jar (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
#30 122.8 - arithmetic-0.8.4.module (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
#30 122.8 - blake2bf-0.8.4.jar (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
#30 122.8 - blake2bf-0.8.4.module (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
#30 122.8 - bls12-381-0.8.4.jar (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
#30 122.8 - bls12-381-0.8.4.module (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
#30 122.8 - secp256k1-0.8.4.jar (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
#30 122.8 - secp256k1-0.8.4.module (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
#30 122.8 - secp256r1-0.8.4.jar (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
#30 122.8 - secp256r1-0.8.4.module (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
#30 122.8 This can indicate that a dependency has been compromised. Please carefully verify the checksums.
Same issue.
fixed in #7172
I think there's an argument for the 0.8.4 artifacts being re-published at the correct version. We're unable to build 24.5.2 and aren't ready to roll forward.
I think there's an argument for the
0.8.4artifacts being re-published at the correct version. We're unable to build24.5.2and aren't ready to roll forward.
I'm having the same issue, that I can't build from the release tarball anymore. It would be good to update: https://github.com/hyperledger/besu/releases/tag/24.5.2 to reflect the changes.
I'm going to re-open this issue for now as I don't think rolling Besu forward is the only solution that's needed. If the 0.8.4 artifacts have now been changed to be incorrect then they really ought to be reverted to the version they should be at
working on this.
Update - right now the workflow for Pull Request, it actually checkout the branch and it merge to the base branch(main). So we cannot republish on pull request trigger. We could publish on a push in release-* branch. However also need to check with Hyperledger why self-hosted runner does not pick up the job when it is from a release-* branch.
Release https://github.com/hyperledger/besu/releases/tag/24.5.4 has been released with the checksum fixes.