commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Commons release policy
Date Sun, 04 Dec 2016 13:44:18 GMT
The hashes are not intended for authentication, only for checking that
the download works OK.
So the strength of the algorithm is not relevant here.

On 3 December 2016 at 20:02, Gary Gregory <garydgregory@gmail.com> wrote:
> Well, getting SHA-1 hashes is not awesome either, we really need a plugin
> updated to use SHA-2/SHA-256
>
> Gary
>
> On Sat, Dec 3, 2016 at 11:57 AM, Matt Sicker <boards@gmail.com> wrote:
>
>> The source jar does just include the .java/.scala/etc. files along with
>> anything in src/main/resources/ (and anything else configured, though this
>> is the default). I think that a source jar is required for distribution on
>> maven central. Besides making releases on the /dist/ svn repo, there's
>> repository.apache.org which can also technically be used to download maven
>> artifacts besides MC (plus I think bintray/jcenter mirrors everything on
>> MC).
>>
>> So basically, at the bare minimum, you need the source tarball/zip on dist
>> which can be used by users to build usable artifacts from source using the
>> relevant build tools and publicly available dependencies (which of course
>> are licensed appropriately). All artifacts are signed along with at least
>> an md5 hash, but I typically also see shaN hashes along with since md5 is
>> so old and broken (maybe this policy should be updated?). And then the flow
>> from repository.apache.org to MC and elsewhere only contains the compiled
>> jars, source jars, poms, and sometimes accompanying xml artifacts or zips.
>>
>> On 3 December 2016 at 12:14, Gary Gregory <garydgregory@gmail.com> wrote:
>>
>> > On Dec 3, 2016 9:34 AM, "Charles Honton" <chas@honton.org> wrote:
>> > >
>> > > To follow up the thread on releasing parent 42 and exactly what needs
>> to
>> > signed, etc.  I’ve researched asf release policy.  Here’s the gist:
>> > >
>> > > 1. Every ASF release must contain a source package, which must be
>> > sufficient for a user to build and test the release provided they have
>> > access to the appropriate platform and tools. <
>> > http://www.apache.org/dev/release#what-must-every-release-contain>
>> > >
>> > > 2. A release isn't 'released' until the contents are in the project's
>> > distribution directory, which is a subdirectory of www.apache.org/dist/
>> <
>> > http://www.apache.org/dev/release#where-do-releases-go>.
>> > >
>> > > 3. Every artifact distributed to the public through Apache channels
>> MUST
>> > be accompanied by one file containing an OpenPGP compatible ASCII armored
>> > detached signature and another file containing an MD5 checksum. <
>> > https://www.apache.org/dev/release-distribution.html#sigs-and-sums>
>> > >
>> > > What do we consider the source package for our releases?
>> > > Are the xxx-sources.jar,  xxx-test-sources.jar, and pom sufficient to
>> > build and test the release?
>> >
>> > Nope. A sources jar is a convenience for IDEs, it usually does not
>> contain
>> > build scripts and such. I am AFK so I am hoping someone can provide an
>> > example.
>> >
>> > > Is the zip/gz just a convenience and is it still useful/required?
>> >
>> > That should contain almost everything that is in the repo except for
>> things
>> > like old files like proposal.html.
>> >
>> > > Or is it the reverse, the zip/gz is the release and the jars are the
>> > convenience distributions?
>> >
>> > Yep. The release are the zip/gz sources. All binaries are conveniences.
>> > Granted that without a Maven Central jar release, a component is not easy
>> > to reuse.
>> >
>> > Gary
>> >
>> > >
>> > > regards,
>> > > chas
>> >
>>
>>
>>
>> --
>> Matt Sicker <boards@gmail.com>
>>
>
>
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition
> <https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8>
>
> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459>
> JUnit in Action, Second Edition
> <https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22>
>
> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021>
> Spring Batch in Action
> <https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action>
> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message