creadur-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <st...@apache.org>
Subject Re: [VOTE] Release Apache Rat 0.12 RC1
Date Fri, 27 May 2016 22:12:35 GMT
I disagree about that -src and -bin should not be in the Maven repo, that
is now common practice across many Apache projects, and it can also be
helpful for downstream projects who needs to embed the distribution
somehow.

It is also a structured way to provide distributions, while our dist
archives are just semi-structured by convention, not to mention the fact
that older releases are only accessible from archive.apache.org -- this
means there is not a single permalink for a given release (as we don't want
to recommend users to primarily download from archive).

To me it also gives a very easy way to confirm the Maven repo matches the
dist files - they should have the same checksums. Then we can reasonably
assume that the corresponding JARs are also from the very same build as
they are presumably uploaded in one go with the Release plugin and assume
the Release Manager have acted faithfully and used the regular release
process (typically Release plugin)

Of course Creadur could try to add a tool for more formal verification of
the JARs and binaries match the source (or even have a forced rebuild from
-src). I think Apache could benefit from such a tool, as most downstream
users pull JARs blindly from Maven, while they are often not tested at all
from a staging repository during Apache projects' Release Candidate
testing, and could potentially contain say malware inserted by a virus or
be faulty because of a particular compiler setup.
On 27 May 2016 6:52 p.m., "sebb" <sebbaz@gmail.com> wrote:

-1

The NOTICE file refers to 2014 rather than 2016.
Have there really been no substantive changes since 2014?

The tag contains two different RN files:

RELEASE-NOTES.txt
RELEASE_NOTES.txt

At least one of them is likely to be wrong.

As mentioned elsethread, the KEYS file must be referenced from

http[s]://www.apache.org/dist/creadur/KEYS


Also, I don't believe the following has any place in the Maven repo

https://repository.apache.org/content/repositories/orgapachecreadur-1002/org/apache/rat/apache-rat/0.12/

Or at least the -src and -bin archives seem out of place for Maven Central.


On 27 May 2016 at 15:18, Jochen Wiedmann <jochen.wiedmann@gmail.com> wrote:
> Forgot the SVN Tag:
>
>
http://svn.apache.org/repos/asf/creadur/rat/tags/apache-rat-project-0.12-RC1/
>
>
> On Fri, May 27, 2016 at 4:09 PM, Jochen Wiedmann
> <jochen.wiedmann@gmail.com> wrote:
>> Proposed distribution:
>>
>>   https://dist.apache.org/repos/dist/dev/creadur/apache-rat-0.12RC1/
>>
>> Proposed KEYS:
>>
>>   https://dist.apache.org/repos/dist/dev/creadur/apache-rat-0.12RC1/KEYS
>>
>> Proposed site:
>>
>>   http://home.apache.org/~jochen/site-rat-0.12RC1/
>>
>> Proposed Maven repository:
>>
>>
https://repository.apache.org/content/repositories/orgapachecreadur-1002
>>
>> Vote is open for 72 hours, as usual.
>>
>>
>> Jochen
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>>
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
>
>
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
>
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message