openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Linskey <plins...@gmail.com>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 18:52:02 GMT
> What we need to vote on are the (reproducible) release artifacts:  
> the source and binary distributions with asc and md5 sig/checksums;  
> and the maven artifacts that will go into the mirrored maven  
> repository.

Sadly, our process does not seem to support generating such an artifact.

I do not understand what you mean by "reproducible"; this was all  
generated in exactly the same manner as prior (approved) OpenJPA  
releases, with the exception that we're now generating md5 and asc  
files for more of the artifacts.

I see lots of m2-repository contents that would seem to conform to  
what maven expects, but I'm no maven expert:

http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/

http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/

Does this help?

-Patrick

On May 15, 2008, at 10:32 AM, Craig L Russell wrote:

> Hi Patrick,
>
> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>
>> Hi,
>>
>>> Nice job, but need a bit more to review.
>>
>> Thanks! I'm assuming that you mean that you can't vote +1 now, but  
>> that you'll have time between now and Monday evening, right?
>
> Right.
>>
>>
>>> There's a requirement that all artifacts have an md5 checksum in  
>>> addition to the asc signature.
>>
>> Those should all be generated. In fact, it looks like we even have  
>> md5 checksums of the signatures!
>
> In the link you sent out
>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>
> there are only the source and binary distribution files with asc  
> sigs, no md5 and no maven artifacts.
>>
>>
>>> Since we plan to put the jar files into the global maven repo, the  
>>> artifacts should be on the download site for review. The jar files  
>>> also need md5 and asc signatures.
>>
>> Everything can be found at people.apache.org/www/openjpa.apache.org/ 
>> builds/1.1.0.
>
> Everything including the kitchen sink. But there are many files and  
> plain junk in that location that it's impossible for me to review.
>>
>> Also, I think it's worth noting that there are definite  
>> improvements that we could make in our staging / delivery process.  
>> I'd appreciate it if we didn't hold 1.1.0 hostage for those  
>> changes. My understanding from Wendy's comments about the last  
>> release process was that we needed more signatures; I believe that  
>> the new release is sufficiently-signed. If there are other  
>> improvements that we could make, I'm all for making them, but would  
>> rather see non-showstopping issues get logged and addressed in  
>> 1.1.1 etc.
>
> The problem is that with all the stuff in the builds/1.1.0 directory  
> it's not possible to make sense of it. Browsing the builds/1.1.0,  
> there are several things that look like maven artifacts but they're  
> in the wrong place, e.g. openjpa-jdbc/m2-repository/org/apache/ 
> openjpa/openjpa-jdbc/1.1.0 which has an extra 1.1.0 directory and  
> has extra files e.g. -rw-rw-r--  1 pcl  openjpa       32 May 14  
> 22:36 openjpa-jdbc-1.1.0.jar.asc.md5 (generally it's not required to  
> checksum a signature;-).
>
> So there's a non-trivial step between the artifacts that you've  
> pointed to and the actual release that we propose to mirror to the  
> world. And there's no PMC oversight possible for that non-trivial  
> step.
>
> What we need to vote on are the (reproducible) release artifacts:  
> the source and binary distributions with asc and md5 sig/checksums;  
> and the maven artifacts that will go into the mirrored maven  
> repository.
>
> Craig
>>
>>
>> -Patrick
>>
>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>
>>> Hi Patrick,
>>>
>>> Nice job, but need a bit more to review.
>>>
>>> There's a requirement that all artifacts have an md5 checksum in  
>>> addition to the asc signature.
>>>
>>> Since we plan to put the jar files into the global maven repo, the  
>>> artifacts should be on the download site for review. The jar files  
>>> also need md5 and asc signatures.
>>>
>>> Craig
>>>
>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>
>>>> OpenJPA Developers-
>>>>
>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>
>>>> Please review these artifacts and signatures, and vote whether we
>>>> should release them as Apache OpenJPA version 1.1.0. Release notes
>>>> for this release are included in the artifact, or can be browsed  
>>>> at:
>>>>
>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>
>>>> The Apache Release Audit Tool has been run on the release, and no
>>>> missing licenses were found with the exceptions listed in the
>>>> exclusion section of the "rat-maven-plugin" configuration in  
>>>> http://
>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>>
>>>> In accordance with http://www.apache.org/foundation/
>>>> voting.html#ReleaseVotes , three +1 votes will be sufficient to
>>>> approve the release for publication. While it is not possible to  
>>>> veto
>>>> a release, the vote will remain open for the standard 3 day period
>>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow  
>>>> people to
>>>> thoroughly review the release and perform whatever additional  
>>>> testing
>>>> they desire and raise any concerns or objections.
>>>>
>>>> A vote of "+1" means you approve of the release for publication,  
>>>> "-1"
>>>> means you do not approve, and a "+0" or "-0" means you are neutral.
>>>>
>>>> Thanks in advance for your diligence in helping to ensure that the
>>>> quality of the OpenJPA 1.1.0 release reflects the high quality of  
>>>> all
>>>> of its contributors!
>>>>
>>>> -Patrick
>>>>
>>>> -- 
>>>> Patrick Linskey
>>>> 202 669 5907
>>>>
>>>
>>> Craig Russell
>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>> P.S. A good JDO? O, Gasp!
>>>
>>
>> -- 
>> Patrick Linskey
>> 202 669 5907
>>
>
> Craig Russell
> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>

-- 
Patrick Linskey
202 669 5907


Mime
View raw message