Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B57AC200BE8 for ; Fri, 23 Dec 2016 21:54:35 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id A7B8B160B1F; Fri, 23 Dec 2016 20:54:35 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CA945160B0C for ; Fri, 23 Dec 2016 21:54:34 +0100 (CET) Received: (qmail 44779 invoked by uid 500); 23 Dec 2016 20:54:33 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 44767 invoked by uid 99); 23 Dec 2016 20:54:33 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Dec 2016 20:54:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1F8031A0573 for ; Fri, 23 Dec 2016 20:54:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.871 X-Spam-Level: ** X-Spam-Status: No, score=2.871 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.972] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=honton.org Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id qDiscUCkR-h8 for ; Fri, 23 Dec 2016 20:54:31 +0000 (UTC) Received: from biz46.inmotionhosting.com (biz46.inmotionhosting.com [205.134.250.219]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A045A5F306 for ; Fri, 23 Dec 2016 20:54:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=honton.org; s=default; h=Mime-Version:To:Date:Message-Id:Subject:Content-Type:From: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hj6sKOse1cwR9Fu5k0RQX7pEgKYzGo0AFjHjt+SRZMo=; b=flCsrSpm8ypCzSF4FGa/OvbMgT /oh7zjPJAHWpQS1GfYSHFArSq3eHQiZ051hOW90AgNIVXkbeCqidOyeWsMC3+HQ3O3guK1lkUhzlY jtTtLvd1DGbe/JXnKpp4cTuwrg5U0wfQhxWK1h02xWAvbjTpbrX3Ddi8SFgIGrshgkxY=; Received: from 173-228-88-240.dsl.dynamic.fusionbroadband.com ([173.228.88.240]:63902 helo=[192.168.1.43]) by biz46.inmotionhosting.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from ) id 1cKWr4-0000dx-K9 for dev@commons.apache.org; Fri, 23 Dec 2016 12:54:28 -0800 From: Charles Honton Content-Type: multipart/alternative; boundary="Apple-Mail=_417CFF55-39EB-4B92-8BA6-23EE830F27B5" Subject: [ALL] Changing the commons process Message-Id: <27690FD8-1EAB-4D68-9118-99B971A5428A@honton.org> Date: Fri, 23 Dec 2016 12:54:14 -0800 To: Commons Developers List Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-OutGoing-Spam-Status: No, score=-0.2 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz46.inmotionhosting.com X-AntiAbuse: Original Domain - commons.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - honton.org X-Get-Message-Sender-Via: biz46.inmotionhosting.com: authenticated_id: chas+honton.org/only user confirmed/virtual account not confirmed X-Authenticated-Sender: biz46.inmotionhosting.com: chas@honton.org X-Source: X-Source-Args: X-Source-Dir: archived-at: Fri, 23 Dec 2016 20:54:35 -0000 --Apple-Mail=_417CFF55-39EB-4B92-8BA6-23EE830F27B5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Several recent email threads have discussed our parent pom and release = process. The process we have derive from Apache Common=E2=80=99s rich = history which pre-dates many current distribution practices. I=E2=80=99d = like to summarize several quirks with our current releases: The official release source tarball contains just the sources, not all = the project files. Building the artifact from just the src directory = without the pom would be extremely difficult. The commons parent pom attaches the source tarball to the maven release = for the side effects of signing/checksumming the source tarball. This = induces a manual step of removing the source tarballs from the staging = repository. We publish convenience binaries to = https://www.apache.org/dist/commons/XXX/binaries. I doubt anyone = consumes these binaries. Most developers use Maven Central. Extremely = security conscious downstream projects consume the distribution source = tarballs. The distribution artifacts are doubled in size by providing both .zip = and tar.gz versions. Slightly different artifacts are published to Apache Distribution Site = vs Maven Central. Now the questions: 1. Are there any concerns with publishing the source and source-test = jars produced by maven-source-plugin as the official distribution = artifacts? This would make the official distribution artifacts = published to https://www.apache.org/dist/commons/XXX/source the same as = the convenience source artifacts published to Maven Central. 2. Are there concerns with not publishing the convenience binaries to = https://www.apache.org/dist/commons/XXX/binaries? Alternatively, are = there concerns with using the the jar produced by maven-jar-plugin as = the convenience binary artifact? This would make the convenience binary = artifact published to https://www.apache.org/dist/commons/XXX/binaries = the same as the convenience binary artifacts published to Maven Central. Some background information to help contemplate these questions: When releasing a package, Apache Commons publishes the official source = tarball at https://www.apache.org/dist/commons/XXX/source. The Apache = Release Policy = = and Release Signing Policy = = require: =E2=80=9CEvery ASF release must contain a source package, which must be = sufficient for a user to build and test the release provided they have = access to the appropriate platform and tools=E2=80=9D "Every artifact distributed to the public through Apache channels MUST = be accompanied by one file containing an OpenPGP compatible ASCII = armored detached signature and another file containing an MD5 = checksum.=E2=80=9D (.asc file and .md5 file) Apache Commons also distributes convenience binaries at = https://www.apache.org/dist/commons/XXX/binaries. These convenience = binaries must also be signed and checksummed. For even more convenience, Apache Commons also publishes packages to = Maven Central. Maven Central policy = requires: =E2=80=9CProjects with packaging other than pom have to supply JAR files = that contain Javadoc and sources.=E2=80=9D =E2=80=9CAll files deployed need to be signed with GPG/PGP and a .asc = file containing the signature must be included for each file.=E2=80=9D A pom file with=20 Correct Coordinates Project Name, Description and URL License Information Developer Information SCM Information= --Apple-Mail=_417CFF55-39EB-4B92-8BA6-23EE830F27B5--