-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.32-I-build warning logs not accessible anymore since I20240321-1050 #1943
4.32-I-build warning logs not accessible anymore since I20240321-1050 #1943
Comments
I fixed a NPE here, maybe more things lurking around: |
To me it looks like the cause is more that the link expect a |
It's visible in https://download.eclipse.org/eclipse/downloads/drops4/I20240401-1800/buildlogs/mb300_gatherEclipseParts.sh.log :
and many similar. |
It's been broken by eclipse-platform/eclipse.platform.releng.buildtools#45 but it hasn't been visible as the new version hasn't been published and used when this change went in. |
@jukzi What is the plan to fix here? |
Local test can be done using : |
So commenting https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/blob/bd8c70a3d4044a7bd1ff7d11ab826a28387d4c46/bundles/org.eclipse.releng.build.tools.convert/src/org/eclipse/releng/build/tools/convert/ant/Converter.java#L211 fixes the issue. As such an entityresolver is practically disables any resolving setValidation(true) is guaranteed to break as dtd is specified. So I guess this line has to be simply removed and let the JVM defaults do its work. |
Thanks for finding these. Can you tell if this converted is used by anything else than to gather the test-results/warnings? |
It's not used anywhere else AFAICT. In an ideal world this "converter" would become an xslt template and the need for this parsing and etc. would be gone. |
Just wondering why any DTDs are required anyways to parse the xml, maybe just disable the validation of the parser altogether ( |
I am not the one that created the app but I don't see a benefit from skipping validation for files that have dtd. If validation is to be disabled I would expect the code to be cleaned from all things related to https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/blob/bd8c70a3d4044a7bd1ff7d11ab826a28387d4c46/bundles/org.eclipse.releng.build.tools.convert/src/org/eclipse/releng/build/tools/convert/ant/Converter.java#L147 |
The benefit would be that we don't need the DTD (neither local nor remote) and I think for this usecase we can assume the xmls is valid (as one can see the validation error is also only discovered by accident ... so to save us some hassle I would just disable validation here and handle this like plain XML that has some known structure. |
I would proceed with partial revert of the previous patch as dot.xml files are produced in eclipse.org infra and conversion runs there so there is no security concern from fetching the dtd. If someone managed to breach to that level we would have far bigger concerns than this one. |
Built and deployed. I'm starting new I-build now to confirm the fix today. |
https://download.eclipse.org/eclipse/downloads/drops4/I20240403-0940/compilelogs/plugins/org.eclipse.core.commands_3.12.100.v20240322-0723/@dot.html#OTHER_WARNINGS points to working html page now so it's confirmed fixed. |
Great, thank you! Now we can fix all those warnings😃 |
The dot.xml contain
Security holes may start with wrong assumptions. It would be better to at least check that the URL refers to the trusted "https://www.eclipse.org/" domain instead of arbitrary URLs. Even if we don't know how other URL could be foisted such a simple check on EntityResolver's systemId would not hurt. |
Can't we simply embeds the DTD somehow or read it from the bundle instead? Network I/O is not nice anyways... |
Effectively the URL leads to a pinned version of |
Thats why I mentioned we maybe can disable validation altogether, as it theoretically can cause issues, practically this almost never changes, there was one change 8 years ago to support an info category: the change before that is 14 years ago... so this might never even practically impact the usecase here... |
Guys, I'm all for better tool as long as there is someone to drive these changes. I've just stepped up to take the reports back with the very minimal time I can afford for that. |
I could sponsor a PR for a minimal URL check if we agree on that. |
Maybe a stupid question (because I didn't review all the context) but could one use a platform:/plugin/org.eclipse.jdt.core/schema/compiler.dtd to access the DTD directly from the bundle? |
Since I-build I20240321-1050 the details about the
Plugins containing compile errors or warnings
Plugins containing access errors or warnings
listed at the test-result overview page cannot be accessed anymore:
https://download.eclipse.org/eclipse/downloads/drops4/I20240327-0720/compilelogs/plugins/org.eclipse.ant.core_3.7.400.v20240321-1303/@dot.html#OTHER_WARNINGS
But looking at its parent directory, there is a
@dot.xml
:https://download.eclipse.org/eclipse/downloads/drops4/I20240327-0720/compilelogs/plugins/org.eclipse.ant.core_3.7.400.v20240321-1303/
The last build for which this worked seems to be
I20240318-1800
, see for example:https://download.eclipse.org/eclipse/downloads/drops4/I20240318-1800/compilelogs/plugins/org.eclipse.ant.core_3.7.300.v20231214-1526/@dot.html#OTHER_WARNINGS
The the html seems not to be not generated anymore.
@laeubi could this be connected to the latest changes about compiler-logs?
The text was updated successfully, but these errors were encountered: