apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: 1.6.0 release candidates
Date Mon, 17 Apr 2017 17:02:38 GMT
On Mon, Apr 17, 2017 at 11:06 AM, Nick Kew <niq@apache.org> wrote:
> On Mon, 2017-04-17 at 14:01 +0200, Rainer Jung wrote:
> Thanks for the comments.
>> my test results: most important is failure to compile on Solaris 8 and a
>> hang during make test on Solaris 10, as well as your key seeming to be
>> revoked. See below.
>> 1) Formal observations
>> ======================
>> - MD5 and SHA1 missing
> Indeed.  Do you think those should be encouraged, as they don't
> actually give any more security than a simple checksum?

IMO, MD5 (supported on any box) and SHA256 (supported only with
more modern distros) still make sense. No reason to add SHA1, the
MD5 is enough for non-deliberate integrity validation. SHA256 can
be enough if the fingerprint is from https://apr.apache.org/dist/apr/ but
isn't a recommended substitute for a valid .asc PGP validation.

>> - zip archives not named "win32-src.zip" as previously

See below

>> - CHANGES-APR-1.6 and CHANGES-APR-UTIL-1.6 missing

That could happen when you roll (I do this because I have the two
tarballs unpacked at the time), but can just as easily happen when
you are publishing the release. The contents are in the tarballs
for review already.

>> - HEADER.html and README.html missing

I see in http://apr.apache.org/dev/dist/

NOTICE: This file store contains only release candidates, not released
tarballs. These are only provided by the dev@apr.apache.org list's
Release Managers to consider release candidates prior to moving them
to their proper home http://www.apache.org/dist/apr/

so this is fine where we've traditionally posted the candidates - they
don't go in the tarball.

That URL corresponds to

>> - Announcement1.6.txt and Announcement1.6.html missing
> AFAICS those don't feature in the tarballs?  I looked at
> the 1.5.latest of APR/APU and I don't see them.

Typically we keep a copy of these in dev/dist/ for massaging the
release messages. They don't go in the tarball.

Typically we simply copy (or svn mv) the release and these extra
artifacts over from https://dist.apache.org/repos/dist/dev/apr/
to https://dist.apache.org/repos/dist/release/apr/ when it is time
to populate the mirrors.

>> - Key B87F79A9 missing from KEYS file
> Good point.  Since ASF now auto-generates per-project keys files
> daily, why maintain a separate KEYS file?
>> - Key B87F79A9 is listed as "revoked: 2016-08-16" in key server
> I saw that key after uploading the tarballs!
> That key has a wrong creation date and wrong fingerprint:
> it's an imposter who created a clash (I recollect discussing
> that, though I only just found out that a fake with my name
> on it was "out there")!  My real key is in
> http://people.apache.org/keys/group/apr.asc and
> http://people.apache.org/keys/committer/
> (along with my old 1024-bit key, which I can also use if this
> is creating confusion).
>> - ".svn" directory included, that's unusual
>> - STATUS file included, that's unusual
> It's a fair cop, guv!
>> - Unix build files configure, *.spec, build-outputs.mk, build/*.sh,
>>    build/l*.m4 (libtool m4 files) and the copies of the apr build/*.m4
>>    in apu are included in zip (that's new, but IMHO OK)
> Ah, right.  Yep, that's probably not such a good idea.

Right - this is why they were named -win32-src.zip, to remind folks
that they can't find the unix tools, even if they were to switch the
lineends back to lf.

> Do we in fact still need those in the Unix tarballs?  Are there
> platforms out there with the toolchain for configure/make but not
> for buildconf?

YES! The whole autocruft is very hard to get right on older solaris,
hpux, aix and other operating systems that just aren't Linux. Can't
comment on BSD compatibility of autocruft.

>> - no more bundled expat: we need to note that in the release notes
> Agreed, that was certainly on the agenda for the announcement.

+1 to include in Announcement (and probably on the site download
reference for the package). A pointer to the project would be good;
http://expat.sourceforge.net/ (soon to be github, but there isn't much
there yet.)

View raw message