geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <he...@cs.uu.nl>
Subject Re: Bad 2.2.1 release
Date Wed, 05 Jan 2011 08:19:22 GMT
On Wed, 5 Jan 2011, Shawn Jiang wrote:

> Date: Wed, 5 Jan 2011 15:25:35 +0800
> From: Shawn Jiang <genspring@gmail.com>
> To: dev@geronimo.apache.org, Henk Penning <henkp@apache.org>
> Subject: Re: Bad 2.2.1 release
> 
> Hi Henk,
>
> We just updated the geronimo 2.2.1 artifacts in
> /www/www.apache.org/dist/geronimo/.   Do you know if  they could be be
> synchronized to other mirrors automatically ?

Hi Shawn Jiang,

   everything in 'people.apache.org:/www/www.apache.org/dist' is
   automatically synced to the apache rsync-servers every hour,
   where the mirrors will pick it up. So, yes, certainly.

   I noticed that the md5's of some geronimo artifacts have changed
   (since Sat Dec 11 15:17:22 2010) ; see

     http://people.apache.org/~henkp/checker/md5.html

   The sigs are good, but they are made with a key that is only
   self-signed, so it could be easily forged. Your release
   managers should have keys that are in the apache web-of-trust,
   that is, signed by at least a few other apache people.

   Groeten,

   HPP

> On Wed, Jan 5, 2011 at 2:40 PM, Rex Wang <rwonly@gmail.com> wrote:
>> I have re-uploaded all the correct 2.2.1 artifacts to dist.
>> Will they be automatically sync to all mirrors?
>>
>> -Rex
>>
>> 2011/1/5 Shawn Jiang <genspring@gmail.com>
>>>
>>> Sorry,  I uploaded the versions to dist in my machine.  It contains
>>> the  bad openejb 3.1.4 release which was downloaded when I used the
>>> staging one to run tck.
>>>
>>> Because Maven won't download the release artifacts again if there's
>>> local one.   To avoid this kind of problems in the future,  we should
>>> add a step in the release process to delete local repo before starting
>>> the release.
>>>
>>> This time, Luckily,  Rex could help upload the right geronimo
>>> artifacts in his local machine to dist again to fix this.
>>>
>>> On Wed, Jan 5, 2011 at 12:47 PM, Rex Wang <rwonly@gmail.com> wrote:
>>>> Verified.
>>>>
>>>> the one
>>>>
>>>> http://repo2.maven.org/maven2/org/apache/geronimo/assemblies/geronimo-tomcat6-javaee5/2.2.1/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
>>>> is correct.
>>>>
>>>> So we need replace the wrong one in dist.
>>>>
>>>> -Rex
>>>>
>>>> 2011/1/5 Rex Wang <rwonly@gmail.com>
>>>>>
>>>>> I remember I did clean the local repo before making 221 release
>>>>> artifacts.
>>>>> I checked the openejb-core in my local repo and it is the one of 12
>>>>> Nov,
>>>>> so I think the
>>>>>
>>>>> http://www.apache.org/dist/geronimo/2.2.1/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
>>>>> might be different from the one in maven public repo which promoted
>>>>> from
>>>>> staging repo
>>>>>
>>>>> http://repo2.maven.org/maven2/org/apache/geronimo/assemblies/geronimo-tomcat6-javaee5/2.2.1/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
>>>>>
>>>>> I am downloading it to verify...
>>>>>
>>>>> -Rex
>>>>>
>>>>> 2011/1/5 Kevan Miller <kevan.miller@gmail.com>
>>>>>>
>>>>>> On Jan 4, 2011, at 4:44 PM, David Blevins wrote:
>>>>>>
>>>>>>> Looks like our 2.2.1 release does not contain the final OpenEJB
>>>>>>> 3.1.4
>>>>>>> binaries and instead contains older binaries from a release vote
>>>>>>> that never
>>>>>>> passed.
>>>>>>>
>>>>>>> $ cd /tmp
>>>>>>> $ wget -q
>>>>>>>
>>>>>>> http://www.apache.org/dist/geronimo/2.2.1/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
>>>>>>> $ tar xzf geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
>>>>>>> $ jar tvf
>>>>>>>
>>>>>>> /tmp/geronimo-tomcat6-javaee5-2.2.1/repository/org/apache/openejb/openejb-core/3.1.4/openejb-core-3.1.4.jar
>>>>>>> | tail
>>>>>>>   562 Sun Oct 31 21:28:14 PDT 2010 org/openejb/OpenEJB.class
>>>>>>>  7379 Sun Oct 31 21:28:10 PDT 2010 schema/openejb-jar.xsd
>>>>>>>  6545 Sun Oct 31 21:28:10 PDT 2010 schema/openejb.xsd
>>>>>>>  2882 Sun Oct 31 21:28:10 PDT 2010 schema/service-jar.xsd
>>>>>>>    32 Sun Oct 31 21:28:10 PDT 2010 users.properties
>>>>>>>     0 Sun Oct 31 21:33:30 PDT 2010 META-INF/maven/
>>>>>>>     0 Sun Oct 31 21:33:30 PDT 2010
>>>>>>> META-INF/maven/org.apache.openejb/
>>>>>>>     0 Sun Oct 31 21:33:30 PDT 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/
>>>>>>> 14964 Sun Oct 31 20:57:22 PDT 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/pom.xml
>>>>>>>   115 Sun Oct 31 21:33:30 PDT 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/pom.properties
>>>>>>>
>>>>>>> $ wget -q -U Maven
>>>>>>>
>>>>>>> http://repo1.maven.org/maven2/org/apache/openejb/openejb-core/3.1.4/openejb-core-3.1.4.jar
>>>>>>> $ jar tvf openejb-core-3.1.4.jar | tail
>>>>>>>   562 Fri Nov 12 15:32:08 PST 2010 org/openejb/OpenEJB.class
>>>>>>>  7379 Fri Nov 12 15:32:06 PST 2010 schema/openejb-jar.xsd
>>>>>>>  6545 Fri Nov 12 15:32:06 PST 2010 schema/openejb.xsd
>>>>>>>  2882 Fri Nov 12 15:32:06 PST 2010 schema/service-jar.xsd
>>>>>>>    32 Fri Nov 12 15:32:06 PST 2010 users.properties
>>>>>>>     0 Fri Nov 12 15:32:14 PST 2010 META-INF/maven/
>>>>>>>     0 Fri Nov 12 15:32:14 PST 2010
>>>>>>> META-INF/maven/org.apache.openejb/
>>>>>>>     0 Fri Nov 12 15:32:14 PST 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/
>>>>>>> 14964 Fri Nov 12 15:12:40 PST 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/pom.xml
>>>>>>>   115 Fri Nov 12 15:32:12 PST 2010
>>>>>>> META-INF/maven/org.apache.openejb/openejb-core/pom.properties
>>>>>>>
>>>>>>>
>>>>>>> Unfortunately that old openejb-3.1.4 binary contains this bug:
>>>>>>>
>>>>>>>  https://issues.apache.org/jira/browse/OPENEJB-1394
>>>>>>>
>>>>>>> We'll definitely need another 2.2.x release of some kind.  Whether
>>>>>>> or
>>>>>>> not we want to include any other fixes is probably a good discussion
>>>>>>> to
>>>>>>> have.
>>>>>>
>>>>>> Yep. Thanks for finding that... Seems like we need to update our
>>>>>> release
>>>>>> process to include a "delete your local maven repository" step...
Or
>>>>>> some
>>>>>> other precaution to prevent this from happening.
>>>>>>
>>>>>> --kevan
>>>>>
>>>>>
>>>>> --
>>>>> Lei Wang (Rex)
>>>>> rwonly AT apache.org
>>>>
>>>>
>>>>
>>>> --
>>>> Lei Wang (Rex)
>>>> rwonly AT apache.org
>>>>
>>>
>>>
>>>
>>> --
>>> Shawn
>>
>>
>>
>> --
>> Lei Wang (Rex)
>> rwonly AT apache.org
>>
>
>
>
> -- 
> Shawn
>

---------------------------------------------------------   _
Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/          M penning@cs.uu.nl  \_/
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message