brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aled Sage <aled.s...@gmail.com>
Subject Re: [DISCUSS][VOTE] Release Apache Brooklyn 0.10.0 [rc1]
Date Tue, 06 Dec 2016 11:20:30 GMT
Hi all,

I used (a modified version of) Andrea's RC verifier script, which he 
shared for 0.9.0 RC testing - see attached.

This passed, except for two things worth noting below:

_*gpg: WARNING: This key is not certified with a trusted signature*__*
*_

    + gpg --verify apache-brooklyn-0.10.0-rc1-src.tar.gz.asc
    apache-brooklyn-0.10.0-rc1-src.tar.gz
    gpg: Signature made Mon  5 Dec 08:28:23 2016 GMT using RSA key ID
    59D0A896
    gpg: Good signature from "Svetoslav Neykov <svetoslav@neykov.name>"
    gpg:                 aka "Svetoslav Neykov
    <svetoslav.neykov@cloudsoftcorp.com>"
    gpg:                 aka "Svetoslav Neykov <svet@apache.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to
    the owner.
    Primary key fingerprint: 9F9C CBDA 89B3 0F81 162C  673C 0FE9 0F00
    C0DE F000
          Subkey fingerprint: BA79 6AAA 77D1 2C96 4B3A  27E1 9790 90BE
    59D0 A896


Do we need to worry about that? Do I need to import more keys into my 
chain of trust?
(Note that the script had previously executed `curl 
https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg --import`).


_*`vagrant up` fails (expected!)*_
The download url in the vagrant installer file will only become valid 
when 0.10.0 is released. To test vagrant, we'll need to tweak the file 
apache-brooklyn-0.10.0-vagrant/files/install_brooklyn.sh to use the rc 
download url.

    ==> brooklyn: Installing Apache Brooklyn version 0.10.0 from
    [https://www.apache.org/dyn/closer.lua?action=download&filename=brooklyn/apache-brooklyn-0.10.0/apache-brooklyn-0.10.0-bin.tar.gz]
    ==> brooklyn: Downloading Brooklyn release archive



On 05/12/2016 12:11, Svetoslav Neykov wrote:
> This thread is for discussions related to the release vote.
>
> I should clarify what we are looking for in a release vote. Particularly,
> we are looking for people to download,validate, and test the release.
> Only if you are satisfied that the artifacts are correct and the quality is
> high enough, should you make a "+1" vote. Alongside your vote you should list
> the checks that you made.
>
> Here is a good example: http://markmail.org/message/gevsz2pdciraw6jw
>
> The vote is not simply about "the master branch contains the features I wanted" -
> it is about making sure that *these* artifacts are *correct* (e.g. they are
> not corrupted, hashes and signatures pass) and are of *sufficiently high
> quality* to be stamped as an official release of The Apache Software Foundation.
>
> Why test the artifacts when master is looking good? Here are some reasons:
>
> - somebody could have made a commit that broke it, since you last git pulled
> - the release branch could have been made at the wrong point, or inconsistently
>    between all of the submodules
> - something in the release process could have broken it
> - I could have made a mistake and corrupted the files
> - a problem with the Apache infrastructure could mean that the release files are
>    unobtainable or corrupted
>
> This is why the release manager needs you to download the actual release
> artifacts and try them out.
>
> The way Apache works can be a bit arcane sometimes, but it's all done with
> a reason. If the vote passes then the contents of the email and its links
> become "endorsed" by The Apache Software Foundation, and the Foundation will
> take on legal liability for them, forever.
>
> And of course we want the best possible experience for our users - so we need
> the actual release files to be tested manually to make sure that a mistake does
> not ruin the experience for users.
>
> So if you can spare an hour or more to download some of the artifacts and try
> them out, then it will be *very* useful! The vote lasts for three days so
> there's no need to rush to get a vote in.
>
> Thanks!
> Svet.
>
>
>> On 5.12.2016 г., at 13:52, Svetoslav Neykov <svetoslav.neykov@cloudsoftcorp.com>
wrote:
>>
>> This is to call for a vote for the release of Apache Brooklyn 0.10.0.
>>
>> This release comprises of a source code distribution, and a corresponding
>> binary distribution, and Maven artifacts.
>>
>> The source and binary distributions, including signatures, digests, etc. can
>> be found at:
>>
>>   https://dist.apache.org/repos/dist/dev/brooklyn/apache-brooklyn-0.10.0-rc1
>>
>> The artifact SHA-256 checksums are as follows:
>>
>>   9b75abf099e1b0ac2ff3193ef58b53e4d323bd377faefac1672aef61d994b45c *apache-brooklyn-0.10.0-1.noarch.rpm
>>   6d86188fe2e210fa3f0e40220d236c43512298da1c158c95f4497ea54c3882e7 *apache-brooklyn-0.10.0-rc1-bin.tar.gz
>>   5b37d0d2da964c91bc1655a5ce1bb277e5f84265906c479c697821a855235a2e *apache-brooklyn-0.10.0-rc1-bin.zip
>>   f1d66690fbf4786b1abc762b2c215dd392e96c1ac0eee49088857c91594b4f79 *apache-brooklyn-0.10.0-rc1-karaf.tar.gz
>>   54d3b492e477c1877cb0bb9fd17063403596a02fbc3fdf9af588827053175bad *apache-brooklyn-0.10.0-rc1-karaf.zip
>>   7d8ed704cc2146756f6ac6616de03c3d5d71953ff60094c1e017efdefb17c079 *apache-brooklyn-0.10.0-rc1-src.tar.gz
>>   a9e652596800010d01982703aaf90f0ca76e8d471b0399717c1d96619c72865c *apache-brooklyn-0.10.0-rc1-src.zip
>>   55e5044ce2a6ae76886bb10d6e68582ef94b8f024513840c1aa8203c068eccd0 *apache-brooklyn-0.10.0-rc1-client-cli-linux.tar.gz
>>   45799528ed0444b6a600918d33419bcf4d7c0eaf5cb58620a2c9ae3f7320ca62 *apache-brooklyn-0.10.0-rc1-client-cli-linux.zip
>>   21bb2186787414226220101c6080ec0afffbb8d008c46a33a39b51bceb65600a *apache-brooklyn-0.10.0-rc1-client-cli-macosx.tar.gz
>>   8d80ed81d5f1940700e838b3d6bf1255214706ede5a51a48bf46214a0b87d5c4 *apache-brooklyn-0.10.0-rc1-client-cli-macosx.zip
>>   a2cb0b1efc7f93da96cae2495e2db63834cfaec29b5eefcf8107f7bec38e6bd3 *apache-brooklyn-0.10.0-rc1-client-cli-windows.tar.gz
>>   61b96bc68306aedb0e3477083077c940893e27b1a58322ad296f120fd5f40978 *apache-brooklyn-0.10.0-rc1-client-cli-windows.zip
>>   13462d97693607a33d59a0a8288c20a2cd2d62607df796a5db5b332a183a7234 *apache-brooklyn-0.10.0-rc1-vagrant.tar.gz
>>   c67e134d4eb93ce1e6cc8124c31ca29bedd38bd2ea41eb9389a6335ee7c1ba0b *apache-brooklyn-0.10.0-rc1-vagrant.zip
>>
>> The Nexus staging repository for the Maven artifacts is located at:
>>
>>     https://repository.apache.org/content/repositories/orgapachebrooklyn-1030
>>
>> All release artifacts are signed with the key with the following fingerprint:
>>
>>     9F9C CBDA 89B3 0F81 162C  673C 0FE9 0F00 C0DE F000
>>
>> KEYS file available here:
>>
>>     https://dist.apache.org/repos/dist/release/brooklyn/KEYS
>>
>>
>> The artifacts were built from git commit IDs:
>>
>> brooklyn: c496c5e9167f9320d08c21d5bce50f16a2325268
>> brooklyn-client: 0594d27aa68ac1c86e2b4672a447336042d92496
>> brooklyn-dist: 09a1ca89cd7d5a468438025d7f2121ec7c52ffc6
>> brooklyn-docs: f75d094f51c49cd5aa51e213bafc51da3d4ff01c
>> brooklyn-library: 1a1962382413b0e5adbfb52bb33968df265b35c5
>> brooklyn-server: 635068a6985edf2e5dfbb9598d8dde2890c32ad3
>> brooklyn-ui: a6e2e8bccfdd98b4f7155b5be86f5b85149e0f33
>> All of the above have been tagged as "apache-brooklyn-0.10.0-rc1"
>>
>> Please vote on releasing this package as Apache Brooklyn 0.10.0.
>>
>> The vote will be open for at least 72 hours.
>> [ ] +1 Release this package as Apache Brooklyn 0.10.0
>> [ ] +0 no opinion
>> [ ] -1 Do not release this package because ...
>>
>>
>> Thanks!
>> Svet.
>>
>>
>>
>> CHECKLIST for reference
>>
>> [ ] Download links work.
>> [ ] Binaries work.
>> [ ] Checksums and PGP signatures are valid.
>> [ ] Expanded source archive matches contents of RC tag.
>> [ ] Expanded source archive builds and passes tests.
>> [ ] LICENSE is present and correct.
>> [ ] NOTICE is present and correct, including copyright date.
>> [ ] All files have license headers where appropriate.
>> [ ] All dependencies have compatible licenses.
>> [ ] No compiled archives bundled in source archive.
>> [ ] I follow this project’s commits list.
>>


Mime
View raw message