Return-Path: Delivered-To: apmail-incubator-esme-dev-archive@minotaur.apache.org Received: (qmail 46496 invoked from network); 17 Feb 2010 15:22:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 Feb 2010 15:22:34 -0000 Received: (qmail 73503 invoked by uid 500); 17 Feb 2010 15:22:34 -0000 Delivered-To: apmail-incubator-esme-dev-archive@incubator.apache.org Received: (qmail 73477 invoked by uid 500); 17 Feb 2010 15:22:34 -0000 Mailing-List: contact esme-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: esme-dev@incubator.apache.org Delivered-To: mailing list esme-dev@incubator.apache.org Received: (qmail 73467 invoked by uid 99); 17 Feb 2010 15:22:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Feb 2010 15:22:34 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of hirsch.dick@gmail.com designates 74.125.92.145 as permitted sender) Received: from [74.125.92.145] (HELO qw-out-1920.google.com) (74.125.92.145) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Feb 2010 15:22:23 +0000 Received: by qw-out-1920.google.com with SMTP id 5so5547393qwf.54 for ; Wed, 17 Feb 2010 07:22:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=bWUDpPuah1fmSrwt0yh1NCRu6S9Jt5SxKCY4xb5gvMU=; b=gwx1Nm2epoUNyXKKPGnXiDzHZL3IGBZi3RvHstflzr2gxFYt5oepkaKN2O55INWnlf ZOyKeckeCPq5dGPoA6cKt38lY26uDLHBlDPhjgbXAgz8ypzBG64fWgNFDYFpvn27clpu LcY3835hNcz2M6qI4r6Op+s+T5Q0Kvg1mZWWE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=uSjjPHcNd5607q/yddxuMxIHH+F1b3qGR5HuFiKGrewXIlRzmH1f/l1MPbpxZsA1kb ztFUWe9h1pvaPFp09J4ZQLhyk4niyPYzhYCa2jmsj0+D7ewy+mzy6/RDOLhOP0B1MPgd 1CIm3AVAzTPKTf81xGYFsVwa8wpk3PJqvGFPU= MIME-Version: 1.0 Received: by 10.103.37.32 with SMTP id p32mr350071muj.64.1266420121375; Wed, 17 Feb 2010 07:22:01 -0800 (PST) In-Reply-To: References: Date: Wed, 17 Feb 2010 16:22:01 +0100 Message-ID: Subject: Re: [VOTE] Approve the release of apache-esme-incubating-1.0 From: Richard Hirsch To: esme-dev@incubator.apache.org Content-Type: multipart/alternative; boundary=0016e659f77678931c047fcd699d X-Virus-Checked: Checked by ClamAV on apache.org --0016e659f77678931c047fcd699d Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Working on the problerm with signing the release and I'm getting the same problem that Bertrand describes. Maybe it is a difference between using SHA= 1 and SHA512. .. I verified it and it looks OK: C:\Program Files\GNU\GnuPG>gpg --verify apache-esme-1-0-0-incubating.src.tar.gz. asc apache-esme-1-0-0-incubating.src.tar.gz gpg: Unterschrift vom 02/17/10 15:48:32 mittels RSA-Schl=FCssel ID 6FACF917 gpg: Korrekte Unterschrift von "Richard Hirsch (CODE SIGNING KEY) < rhirsch@apache.org>" I signed the release with the following commands: gpg --armor --output apache-esme-1-0-0-incubating.src.tar.gz.asc --detach-sig apache-esme-1-0-0-incubating.src.tar.gz gpg --print-md SHA512 apache-esme-1-0-0-incubating.src.tar.gz > apache-esme-1-0-0-incubating.src.tar.gz.sha gpg --print-md MD5 apache-esme-1-0-0-incubating.src.tar.gz > apache-esme-1-0-0-incubating.src.tar.gz.md5 What I don't know how to do is verify using MD5 or SHA? I found this sentence in the "Signing Releases" Apache Documen": "MD5 <#md5> and SHA<#sha-checksum>checksums provide a simple, means of verifying the integrity of a download. You can simply create a checksum (in the same way as the release manager) after download, and compare the result to the checksum downloaded from the main Apache site. " but I have no idea how it is done. The contents of the files are * output apache-esme-1-0-0-incubating.src.tar.gz.asc: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQIcBAABCgAGBQJLfAHAAAoJEItBUOZvrPkXfeQP/ie7n1axfF5xBb/HbtatCUzW TbYIznhhLZ4xq1bitxA5clSveUnH7O8oRsEmCUBbzday90qHhZUzkVEspr30DB/5 j9Tx2+Ov09lShX+L24rKGeL9ReZ5YbiuSxh7WmaESlnSnP3J5NMsG7Um+v2ICyhb NM1HUO7P1D5Xn9LZragOS0dt9VRAEb6h38rbBarRrFjKADf9gLqdkXmv7NgIWWwI AFSJKzUATShT6u4sRJDlauSB0VS8NGfV4F+10OKsmIIHbMyDyTt01chr4KCXcjnf siGHABBPBDUytjx648ohiXJPtmyovBTcqWtn3RF/dneSSCwibKgCGbJQgPCaWxvR uh14gLTdSt2c4VMs0reychMh/fGfAumuPDL2voS+AHc1QCALRiePnqgfxVwW40nP olQP5EPJpVr7vmOrOD29WgxEAlTqDsKLgTAkXAi1sPHpiHapDwu5PalaIMcmw8CS ZBj39pdKFLUQkxgPU08nS/2n6BUcRkNpH6e4ngfQIltSaYN501CUrqi3nLMwx006 3zgTxm/ob6E6z13djolix2w0GQE6hkKDwesCj6K1h/sWp7y9rYiqIqS5A3WO+jAz yij43gkNYzPnjr8Dz8mJM53FWWA+kQvF8E1iesIdTk1s5IaUno9ipqFSHv6wf1TQ PfkCUjE05RyhSY3lDAmY =3DY4I/ -----END PGP SIGNATURE----- * apache-esme-1-0-0-incubating.src.tar.gz.sha apache-esme-1-0-0-incubating.src.tar.gz: 771A97EB 34FD26C1 D431E4EA D7D4FC4C 3971DB42 F50B0B66 C32D601F 70D450FB 06F73667 8E118141 5A83C40A 84C1ABDF 808551DC 10949049 1962C634 FFBFAE69 * apache-esme-1-0-0-incubating.src.tar.gz.md5 apache-esme-1-0-0-incubating.src.tar.gz: 8E 43 0D DF F8 FE 15 9B 22 47 C2 C0 CC 30 21 2C I then used this command: openssl sha1 apache-esme-1-0-0-incubating.src.tar.gz SHA1(apache-esme-1-0-0-incubating.src.tar.gz)=3D e87405b0df026fde41c65c31c11b8026c a06687d Does somebody have a clue if I'm doing something wrong... Thanks. D. On Tue, Feb 16, 2010 at 5:28 PM, Bertrand Delacretaz wrote: > Hi, > > On Mon, Feb 15, 2010 at 4:05 PM, Richard Hirsch > wrote: > > ...The candidate can be found at: > > http://people.apache.org/~rhirsch/esme/ > > Unfortunately I'm -1 on the release, I have a few issues including a > GPL dependency. > > 1) jwebunit dependency is GPL > The server module depends on > > net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:jar:1.4.1:test > > which according to http://jwebunit.sourceforge.net/license.html is GPL. > > 2) The sha1 digest does not match, did I do something wrong? > > $ openssl sha1 apache-esme-incubating-1.0-src.tar.gz > SHA1(apache-esme-incubating-1.0-src.tar.gz)=3D > a9ec8d95266d5944d493392a06eb1651c03222f1 > > $ cat apache-esme-incubating-1.0-src.tar.gz.sha > apache-esme-incubating-1.0-src.tar.gz: A53494C8 55474CE3 5AC20516 C2448CB= 6 > 64B3B76C 747BA64A FFC9A836 EDAB8D86 > 4E0735CC AA29ACA9 07767C58 D1C0FEDA > CA7E73A3 ADA3944D 464314B2 4BE0E476 > > 3) mvn dependency:analyze of the server module shows lots of unused > declared dependencies, those should be cleaned up, especially > openDMK:jdmkrt:jar which according to https://opendmk.dev.java.net/ is > either GPL or CDDL license. Not sure which parts of OpenDMK are which > license, but as it's unused better remove it. > > 4) When trying to build esme-java-client with "mvn clean install" I > get "Embedded error: Error while executing the external compiler" if > JAVA_HOME is not set. > > 5) apache-esme-incubating-1.0-src.tar.gz contains .svn folders, it > should not have that. You could have created the release using svn > export of > http://svn.apache.org/repos/asf/incubator/esme/tags/apache-esme-1.0-incub= ating/ > to avoid that. > > 6) I couldn't find license information for the > com.twitter:stats:jar:1.3:compile dependency, was that checked to be > ok? > > Sorry that I didn't have time to look at that during the ESME podling vot= e. > > Apart from the GPL dependency the release preparation looks mostly ok, > rat reports are good, license/notice are provided, etc. > > -Bertrand > --0016e659f77678931c047fcd699d--