maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Connolly <stephen.alan.conno...@gmail.com>
Subject Re: [VOTE] Release Maven 3.1.1
Date Mon, 09 Sep 2013 19:56:55 GMT
On 8 September 2013 18:51, Jason van Zyl <jason@tesla.io> wrote:

>
> On Sep 8, 2013, at 1:12 PM, sebb <sebbaz@gmail.com> wrote:
>
> > I thought you were going to include the SCM coordinates used to create
> > the tarballs?
> >
>
> Sorry, not intentional. I forgot.
>
> > It's particularly important here, because AFAICT the SCM coordinates
> > are not present in the POM.
> > If true, then it's not possible to verify the files in the source
> tarballs.
> >
>
> I hash is always in the distribution, it's how we show where it comes from
> when you type "mvn -v". It's in the build properties in the core JAR and
> the hash in there is:
>
> c9950d777c7368e51431500c29aecf1e11e3d2c6
>

Is that the SHA1 of the src.zip and src.tar.gz or is it the SHA1 of the git
commit.

What we are looking for on the vote emails is the SHA1 and MD5 of the
src.zip and src.tar.gz so that interested parties can verify that the vote
was against the source distribution that ends up in dist and central. Since
the staging repository is deleted as part of the release process, and since
what the PMC is voting on is the source bundles, we need the vote email to
specify the hashes of the source bundle *for the record*...

Of course this is really easy to do as Maven helpfully uploads the hashes
to the staging repository, but since "it didn't happen if it wasn't on a
mailing list" (stephenc rolls his eyes) we need the release manager to
ensure that the vote has this required information.

Note: The commit hash is really nice to have, but is not part of the
minimum set of required information, and we are trying to stick to minimum
procedure. So we don't look for that *even* if other people think we should.


>
> > Also, AFAIK, the PMC agreed to include hashes of the tarballs in vote
> e-mails?
> >
> > On 8 September 2013 14:07, Jason van Zyl <jason@tesla.io> wrote:
> >> Hi,
> >>
> >> Here is a link to Jira with 6 issues resolved:
> >>
> https://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=10500&version=18968
> >>
> >> Staging repo:
> >> https://repository.apache.org/content/repositories/maven-016/
> >>
> >> The distributable binaries and sources for testing can be found here:
> >>
> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/
> >>
> >> Specifically the zip, tarball, and source archives can be found here:
> >>
> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.zip
> >>
> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.tar.gz
> >>
> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.zip
> >>
> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.tar.gz
> >>
> >> Vote open for 72 hours.
> >>
> >> [ ] +1
> >> [ ] +0
> >> [ ] -1
> >>
> >> Thanks,
> >>
> >> The Maven Team
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder,  Apache Maven
> http://twitter.com/jvanzyl
> ---------------------------------------------------------
>
>
>
>
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message