gearpump-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: release about ready
Date Thu, 30 Jun 2016 22:38:38 GMT
What I see done customarily is tagging of release candidates as e.g.
"0.8.1RC0" with subsequent push that tag.

$ git tag -m"0.8.1RC0" 0.8.1RC0
$ git push --tags


Once a candidate is voted to become a release, then add another tag in the
permanent rel/ namespace, e.g.

$ git co 0.8.1RC0
$ git tag -m"0.8.1" rel/0.8.1
$ git push --tags



On Thu, Jun 30, 2016 at 3:34 PM, Kam Kasravi <kamkasravi@gmail.com> wrote:

> Andy
>
> Quick question based on mnemonic's VOTE (
>
> http://mail-archives.apache.org/mod_mbox/incubator-general/201605.mbox/%3C573CE75B.5030404%40apache.org%3E
> )
> It looks like both the commit hash and tag need to be committed in
> git-wip-us.apache.org. IMO this seems to be a bit of the chicken vs egg
> conundrum.
> Committing a tag and hash before VOTE means these may need to be reapplied
> if the VOTE fails.
> I assume this is ok (someone not knowing a VOTE was in progress could
> checkout by TAG which could change later if the VOTE fails).
>
> Kam
>
>
> On Thu, Jun 30, 2016 at 2:47 PM, Andrew Purtell <apurtell@apache.org>
> wrote:
>
> > Sounds like great progress. Let's start a candidate release vote!
> >
> > I'll give it a good looking over before casting my vote.
> >
> > We have a long holiday weekend coming up in the US. You might want to
> > extend the vote beyond the customary 72 hours into next week.
> >
> >
> > On Thu, Jun 30, 2016 at 2:44 PM, Kam Kasravi <kamkasravi@gmail.com>
> wrote:
> >
> >> Hi Andy
> >>
> >> I've update KEYS and files in RC0 with updates as suggested (see
> >> https://dist.apache.org/repos/dist/dev/incubator/gearpump/)
> >> Updates include:
> >>
> >> KEYS file now includes code signing key
> >>
> >> LICENSE file now includes SIL Font license
> >>
> >> NOTICE file looks to be complete for source only release
> >>
> >> Rat tool is run as part of a bash script in dev-tools (assumes RAT has
> >> been built in a peer directory). It has been run and noted files have
> had
> >> the apache 2.0 license added (mostly .js, .html files)
> >>
> >> Shaded libraries are now included as part of the build and not included
> >> from elsewhere
> >>
> >> Repos providing commercial derivatives of apache projects (eg cloudera)
> >> have been replaced with the apache repo:
> >> https://repository.apache.org/content/repositories
> >>
> >> For later releases which include binary artifacts, it's clear that we'll
> >> need separate LICENSE, NOTICE files for each artifact. For this source
> >> release I think we're getting fairly close. If the updates checkout by
> you
> >> I can start a candidate release vote.
> >>
> >> Thanks
> >> Kam
> >>
> >> On Tue, Jun 28, 2016 at 11:06 AM, Kam Kasravi <kamkasravi@gmail.com>
> >> wrote:
> >>
> >>> We'll add the rat tool as part of prepping the release.
> >>>
> >>> On Mon, Jun 27, 2016 at 5:43 PM, Andrew Purtell <apurtell@apache.org>
> >>> wrote:
> >>>
> >>>> > You can run 'sbt dumpLicenseReport', which runs the equivalent
of
> >>>> the RAT tool.
> >>>>
> >>>> I don't think so. Apache RAT does more than just report on licenses,
> it
> >>>> checks for Apache specific release policy compliance. Or did you mean
> that
> >>>> sbt's dumpLicenseReport is actually set up in your project to run
> Apache
> >>>> RAT?
> >>>>
> >>>> On Mon, Jun 27, 2016 at 5:23 PM, Kam Kasravi <kamkasravi@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Thanks Andy for going through RC0! Comments inline. I'll update
and
> >>>>> upload back under RC0.
> >>>>>
> >>>>> > - I imported the KEYS file but then failed to find the signing
key.
> >>>>> >
> >>>>> > gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> >>>>> gearpump-0.8.1-incubating-src.tgz
> >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA
key
> ID
> >>>>> E7DE27E3
> >>>>> > gpg: Can't check signature: public key not found
> >>>>> >
> >>>>> > - recv-key E7DE27E3 worked
> >>>>> >
> >>>>> > gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY)
<
> >>>>> kamkasravi@apache.org>" imported
> >>>>> > gpg: Total number processed: 1
> >>>>> > gpg:               imported: 1  (RSA: 1)
> >>>>> >
> >>>>> > - And now the signature check passes
> >>>>> >
> >>>>> > gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA
key
> ID
> >>>>> E7DE27E3
> >>>>> > gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> >>>>> kamkasravi@apache.org>"
> >>>>> > gpg: WARNING: This key is not certified with a trusted signature!
> >>>>> > gpg:          There is no indication that the signature belongs
to
> >>>>> the owner.
> >>>>> > Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806
2555
> >>>>> E7DE 27E3
> >>>>> >
> >>>>> > I encourage Kam and everyone to go to an ApacheCon or the meetups
> of
> >>>>> other projects and get your keys signed by other Apache folks. Yes,
I
> >>>>> should take my own advice... my code signing key has the same issue.
> >>>>> > > - MD5 and SHA1 checksum files match file sums
> >>>>> >
> >>>>>
> >>>>> [Kam] I've updated KEYS to include the CODE SIGNING KEY. I also
> >>>>> updated our release shell script so it can also verify the signed
> artifacts
> >>>>> (dev-tools/create_apache_source_release.sh).
> >>>>>
> >>>>> > - Archive unpacks and layout looks good
> >>>>> >
> >>>>> > - LICENSE file looks ok, except maybe the text of the SIL Open
Font
> >>>>> License is missing?
> >>>>>
> >>>>> [Kam] I'll add this.
> >>>>>
> >>>>> >
> >>>>> > - Is the NOTICE file complete? "If the dependency supplies
a NOTICE
> >>>>> file, its contents must be analyzed and the relevant portions
> bubbled up
> >>>>> into the top-level NOTICE file." (
> >>>>> http://www.apache.org/dev/licensing-howto.html) We don't want to
add
> >>>>> anything here not legally required, though. I'm assuming you went
> through
> >>>>> all of your dependencies and checked if they have anything in a
> NOTICE
> >>>>> file? If not let's do that.
> >>>>>
> >>>>> [Kam] For the source release I didn't - but best to do it now so
> >>>>> subsequent binary artifacts are correctly handled.
> >>>>>
> >>>>> > > - I can't find build instructions on the website (eg.
> >>>>> http://gearpump.incubator.apache.org/how-to-contribute.html). They
> >>>>> are in the README.md, however.  How does one invoke 'sbt' such that
> it will
> >>>>> also run the Apache RAT tool?
> >>>>>
> >>>>> [Kam] You can run 'sbt dumpLicenseReport', which runs the equivalent
> >>>>> of the RAT tool. The sbt plugin is here
> >>>>> https://github.com/sbt/sbt-license-report. I've updated the
> README.md.
> >>>>>
> >>>>> > > - What is
> >>>>>
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> >>>>> ? I'm not sure this will be fatal to the release candidate but this
> is
> >>>>> something that needs to be fixed. At the least it should be hosted
on
> >>>>> Apache infrastructure somewhere. Ideally, the shading and staging
of
> >>>>> gs-collections can be made part of the build so no need for a custom
> >>>>> artifact of gs-collections just for gearpump. Same for
> >>>>> gearpump-shaded-akka-kyro and anything like this I may have missed.
> >>>>>
> >>>>> [Kam] Fink also includes shaded jars. I'll follow their example.
> >>>>>
> >>>>> > > - Some code builds against a downstream commercial derivative
of
> >>>>> an Apache project, hosted on a third party repository. You should
> not be
> >>>>> doing this. If you depend on Hadoop, build against an Apache released
> >>>>> version of Hadoop.
> >>>>>
> >>>>> [Kam] Got it. I'll update our Build.scala, rerun
> >>>>> 'sbt dumpLicenseReport' and reverify.
> >>>>>
> >>>>> > > When ready to start a release candidate vote, Mnemonic
recently
> >>>>> ran a vote, you can use that as an example.
> >>>>> >
> >>>>> > Vote thread: https://s.apache.org/NqCu
> >>>>> >
> >>>>> > Result: https://s.apache.org/wERS
> >>>>>
> >>>>>
> >>>>> On Mon, Jun 27, 2016 at 3:52 PM, Andrew Purtell <apurtell@apache.org
> >
> >>>>> wrote:
> >>>>>
> >>>>>> Kam posted artifacts for 0.8.1 RC0 and asked me to take a look
at
> >>>>>> them. Here are my notes:
> >>>>>>
> >>>>>> - I imported the KEYS file but then failed to find the signing
key.
> >>>>>>
> >>>>>> gpg --verify gearpump-0.8.1-incubating-src.tgz.asc
> >>>>>> gearpump-0.8.1-incubating-src.tgz
> >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA
key ID
> >>>>>> E7DE27E3
> >>>>>> gpg: Can't check signature: public key not found
> >>>>>>
> >>>>>>
> >>>>>> - recv-key E7DE27E3 worked
> >>>>>>
> >>>>>> gpg: key E7DE27E3: public key "Kam Kasravi (CODE SIGNING KEY)
<
> >>>>>> kamkasravi@apache.org>" imported
> >>>>>> gpg: Total number processed: 1
> >>>>>> gpg:               imported: 1  (RSA: 1)
> >>>>>>
> >>>>>>
> >>>>>> - And now the signature check passes
> >>>>>>
> >>>>>> gpg: Signature made Fri 24 Jun 2016 03:07:40 PM PDT using RSA
key ID
> >>>>>> E7DE27E3
> >>>>>> gpg: Good signature from "Kam Kasravi (CODE SIGNING KEY) <
> >>>>>> kamkasravi@apache.org>"
> >>>>>> gpg: WARNING: This key is not certified with a trusted signature!
> >>>>>> gpg:          There is no indication that the signature belongs
to
> >>>>>> the owner.
> >>>>>> Primary key fingerprint: 4FF1 FDB7 1079 F43F 132D  FBBB 5806
2555
> >>>>>> E7DE 27E3
> >>>>>>
> >>>>>> I encourage Kam and everyone to go to an ApacheCon or the meetups
of
> >>>>>> other projects and get your keys signed by other Apache folks.
Yes,
> I
> >>>>>> should take my own advice... my code signing key has the same
issue.
> >>>>>>
> >>>>>>
> >>>>>> - MD5 and SHA1 checksum files match file sums
> >>>>>>
> >>>>>> - Archive unpacks and layout looks good
> >>>>>>
> >>>>>> - LICENSE file looks ok, except maybe the text of the SIL Open
Font
> >>>>>> License is missing?
> >>>>>>
> >>>>>> - Is the NOTICE file complete? "If the dependency supplies a
NOTICE
> >>>>>> file, its contents must be analyzed and the relevant portions
> bubbled up
> >>>>>> into the top-level NOTICE file." (
> >>>>>> http://www.apache.org/dev/licensing-howto.html) We don't want
to
> add
> >>>>>> anything here not legally required, though. I'm assuming you
went
> through
> >>>>>> all of your dependencies and checked if they have anything in
a
> NOTICE
> >>>>>> file? If not let's do that.
> >>>>>>
> >>>>>> - I can't find build instructions on the website (eg.
> >>>>>> http://gearpump.incubator.apache.org/how-to-contribute.html).
They
> >>>>>> are in the README.md, however.  How does one invoke 'sbt' such
that
> it will
> >>>>>> also run the Apache RAT tool?
> >>>>>>
> >>>>>> - What is
> >>>>>>
> http://dl.bintray.com/fvunicorn/maven/org/apache/gearpump/gearpump-shaded-gs-collections/6.2.0/gearpump-shaded-gs-collections-6.2.0.jar
> >>>>>> ? I'm not sure this will be fatal to the release candidate but
this
> is
> >>>>>> something that needs to be fixed. At the least it should be
hosted
> on
> >>>>>> Apache infrastructure somewhere. Ideally, the shading and staging
of
> >>>>>> gs-collections can be made part of the build so no need for
a custom
> >>>>>> artifact of gs-collections just for gearpump. Same for
> >>>>>> gearpump-shaded-akka-kyro and anything like this I may have
missed.
> >>>>>>
> >>>>>> - Some code builds against a downstream commercial derivative
of an
> >>>>>> Apache project, hosted on a third party repository. You should
not
> be doing
> >>>>>> this. If you depend on Hadoop, build against an Apache released
> version of
> >>>>>> Hadoop.
> >>>>>>
> >>>>>> When ready to start a release candidate vote, Mnemonic recently
ran
> a
> >>>>>> vote, you can use that as an example.
> >>>>>>
> >>>>>> Vote thread: https://s.apache.org/NqCu
> >>>>>>
> >>>>>> Result: https://s.apache.org/wERS
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Best regards,
> >>>>
> >>>>    - Andy
> >>>>
> >>>> Problems worthy of attack prove their worth by hitting back. - Piet
> >>>> Hein (via Tom White)
> >>>>
> >>>
> >>>
> >>
> >
> >
> > --
> > Best regards,
> >
> >    - Andy
> >
> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
> > (via Tom White)
> >
>



-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message