incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <grobme...@gmail.com>
Subject Re: [VOTE] Release Apache Onami-Logging 3.4.0-incubating
Date Sun, 03 Feb 2013 20:26:24 GMT
On Sat, Feb 2, 2013 at 10:19 PM, Branko ─îibej <brane@apache.org> wrote:
> On 02.02.2013 21:36, Branko ─îibej wrote:
>> On 23.01.2013 14:48, Simone Tripodi wrote:
>>> SVN source tag
>>> https://svn.apache.org/repos/asf/incubator/onami/tags/org.apache.onami.logging.parent-3.4.0-incubating/
>>>
>>> Staging repo:
>>> https://repository.apache.org/content/repositories/orgapacheonami-150/
>> Since when do source packages not have to be on dist.apache.org?

We copy to dist after the vote is successful.
Our process is very similar to the one Commons uses:
http://wiki.apache.org/commons/UsingNexus

Our document is:
http://onami.incubator.apache.org/committers/release-howto.html


> Just to be clear, in the case of Onami Logging, reviewers are  asked to
> find the right package amongst 8 different source packages in 8
> different directories.

What do you mean with "right"? They all are "right", because they
contain different sources and we want to release them all.

> Initially I thought that the logging-parent.zip would be enough to
> verify the release; but the notice files in the various module-specific
> source jar files aren't identical to the one in the repository. At that
> point I stopped looking.

We made different packages for different use cases - not everybody
wants to include the log4j2 appender when he is using commons-logging.
Of course this strategy can be discussed on our mailinglist, as there
are some people who prefer bigger "all inclusive" jars. But for now,
we have that fragmentation.

That said, reviewers should -imho- look at all artifacts, not only the
source artifacts. I look also into the javadoc artifacts.

> In other words, the reason you're not getting votes from the IPMC is
> that it's well-nigh impossible for an outsider to verify the release
> artefacts.

Impossible? I have to disagree. One can:

wget -r -l 1 -np -nH -nd -nv -e robots=off --wait 10
--no-check-certificate
https://repository.apache.org/content/repositories/orgapacheonami-150/

and easily gets all files.

One can use Ivans Gist:
https://gist.github.com/3504123

or use this:
http://www.grobmeier.de/checking-md5-and-signatures-with-a-shell-script-29062011.html

to check sigs, hashes etc.

We have RAT to help looking at many formal aspects.

So there is a lot of helpers which make it possible to review that release.

I mean, what are you proposing? That a podling makes releases in a way
they can be easily verified by the IPMC? Should we cancel the vote now
and prepare one big fat file for easy review?

Cheers
Christian




>
> -- Brane
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>



--
http://www.grobmeier.de
https://www.timeandbill.de

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message