openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Fri, 16 May 2008 21:31:33 GMT
Hi Patrick,

On May 16, 2008, at 12:25 PM, Patrick Linskey wrote:

>> ...

>> 4. missing .asc files for .jar and .pom
>
> When I added the code that Wendy provided, it generated .sha files  
> and did not generate .asc files. I've been operating under the  
> assumption that her code snippet is generating satisfactory output.  
> Do we have any clear guidance for what output is necessary from that  
> code?

 From her message, it seems that the .asc files should be generated.  
Lack of the .asc files was, I thought, one of her comments last time  
we released.

And it appears that the missing .asc files are the only current issue  
with the artifacts.

Craig
>
> Thanks,
>
> -Patrick
>
> On May 16, 2008, at 12:06 PM, Craig L Russell wrote:
>
>> Hi Patrick,
>>
>> Thanks for doing that. The results don't match my expectations for  
>> a properly organized maven2 repository.
>>
>> I'm not an expert in maven, but this structure doesn't look like  
>> the one you're copying into.
>>
>> Could someone from maven take a look? What looks fishy to me is
>>
>> 1. the extra openjpa-xxx and 1.1.0 directories
>> 2. the lack of jars and poms directories in the repository
>> 3. unnecessary .sha files for .jar and .pom
>> 4. missing .asc files for .jar and .pom
>> 5. extra maven-metadata.xml files
>>
>> This doesn't require another vote because the artifacts are not at  
>> issue; the packaging is. Once the packaging is straightened out  
>> we're good.
>>
>> Craig
>>
>> On May 15, 2008, at 3:16 PM, Patrick Linskey wrote:
>>
>>> Done. You can browse the results at http://people.apache.org/~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository

>>> , or look at it on people.apache.org at ~pcl/public_html/release- 
>>> candidates/1.1.0/repo/m2-ibiblio-rsync-repository.
>>>
>>> -Patrick
>>>
>>> On May 15, 2008, at 2:13 PM, Craig L Russell wrote:
>>>
>>>> Ok,
>>>>
>>>> How about doing something like this:
>>>>> $ find . \ -name m2-repository -not -path "*openjpa-project*" - 
>>>>> exec mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy - 
>>>>> Dsource=file://{} -Dtarget=scp://people.apache.org/home/pcl/ 
>>>>> release-candidate/1.0.0/repo/m2-ibiblio-rsync-repository \ - 
>>>>> Dversion=1.0.1 \;
>>>>
>>>> Then we can look at what you will do after the vote completes and  
>>>> argue about whether the artifacts are correct.
>>>>
>>>> Craig
>>>>
>>>> On May 15, 2008, at 12:20 PM, Patrick Linskey wrote:
>>>>
>>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>>> artifacts: the source and binary distributions with asc and
 
>>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>>> the mirrored maven repository.
>>>>>>>
>>>>>>> Sadly, our process does not seem to support generating such an
 
>>>>>>> artifact.
>>>>>>
>>>>>> Then how will the maven artifacts get published?
>>>>>>>
>>>>>>>
>>>>>>> I do not understand what you mean by "reproducible";
>>>>>>
>>>>>> Reinforcing that you should be able to create the same  
>>>>>> artifacts by running the scripts again. No manual to-and-fro  
>>>>>> should be involved.
>>>>>
>>>>> From [1], the last step in the release process is:
>>>>>
>>>>> $ find . \ -name m2-repository -not -path "*openjpa-project*" - 
>>>>> exec mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy - 
>>>>> Dsource=file://{} -Dtarget=scp://people.apache.org/www/ 
>>>>> people.apache.org/repo/m2-ibiblio-rsync-repository \ - 
>>>>> Dversion=1.0.1 \;
>>>>>
>>>>> My understanding is that once that script is run, the contents  
>>>>> are uploaded to the non-snapshot mvn repository. I.e., if I were  
>>>>> to run that script, things would be released to the wild. That  
>>>>> sounds to me like something that should happen only once the  
>>>>> release is approved, and not before.
>>>>>
>>>>> So, in other words, the semi-automatic process documented at [1]  
>>>>> takes the output that I've linked to and pushes it to the mvn  
>>>>> repo directly.
>>>>>
>>>>> As I pointed out, I think that there is room for improving this  
>>>>> process. I would rather, however, cut out the mvn artifacts from  
>>>>> the 1.1.0 release than spend the next days rushing through  
>>>>> trying to learn about mvn's world view when it comes to further  
>>>>> mvn automation.
>>>>>
>>>>>>> this was all generated in exactly the same manner as prior  
>>>>>>> (approved) OpenJPA releases, with the exception that we're now
 
>>>>>>> generating md5 and asc files for more of the artifacts.
>>>>>>
>>>>>> And we have had problems with subsequent maven artifact  
>>>>>> postings, which I want to fix by having more oversight earlier.
>>>>>
>>>>> It was my understanding that the only issue that we've  
>>>>> encountered in the previous releases was the lack of signed  
>>>>> artifacts. I believe that the work that I've done addresses  
>>>>> that. As I mentioned above, since our process deploys directly  
>>>>> to the mvn repo, I know of no way to validate that that's the  
>>>>> case. Further, I am not scared of directly (manually) updating  
>>>>> the mvn repo; I was under the impression that it was the  
>>>>> artifacts, and not the process, that needed voting / approval.
>>>>>
>>>>>>> I see lots of m2-repository contents that would seem to  
>>>>>>> conform to what maven expects, but I'm no maven expert:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>>>>
>>>>>> These directories are not proper maven repositories, so a  
>>>>>> subset of these artifacts then need to be copied to completely  
>>>>>> different directories. How will this be done? Why can't they be 

>>>>>> copied "now" to a temporary maven repo so they can be vetted?
>>>>>
>>>>> I have no idea what "proper maven repositories" look like.
>>>>>
>>>>> How about this: let's get rid of all the mvn artifacts from the  
>>>>> 1.1.0 release, and focus instead just on the binary and source  
>>>>> zips.
>>>>>
>>>>> -Patrick
>>>>>
>>>>> [1] http://openjpa.apache.org/releasing-openjpa.html
>>>>>
>>>>>
>>>>> On May 15, 2008, at 12:04 PM, Craig L Russell wrote:
>>>>>
>>>>>> Hi Patrick,
>>>>>>
>>>>>> On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:
>>>>>>
>>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>>> artifacts: the source and binary distributions with asc and
 
>>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>>> the mirrored maven repository.
>>>>>>>
>>>>>>> Sadly, our process does not seem to support generating such an
 
>>>>>>> artifact.
>>>>>>
>>>>>> Then how will the maven artifacts get published?
>>>>>>>
>>>>>>>
>>>>>>> I do not understand what you mean by "reproducible";
>>>>>>
>>>>>> Reinforcing that you should be able to create the same  
>>>>>> artifacts by running the scripts again. No manual to-and-fro  
>>>>>> should be involved.
>>>>>>
>>>>>>> this was all generated in exactly the same manner as prior  
>>>>>>> (approved) OpenJPA releases, with the exception that we're now
 
>>>>>>> generating md5 and asc files for more of the artifacts.
>>>>>>
>>>>>> And we have had problems with subsequent maven artifact  
>>>>>> postings, which I want to fix by having more oversight earlier.
>>>>>>>
>>>>>>>
>>>>>>> I see lots of m2-repository contents that would seem to  
>>>>>>> conform to what maven expects, but I'm no maven expert:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>>>>
>>>>>> These directories are not proper maven repositories, so a  
>>>>>> subset of these artifacts then need to be copied to completely  
>>>>>> different directories. How will this be done? Why can't they be 

>>>>>> copied "now" to a temporary maven repo so they can be vetted?
>>>>>>
>>>>>> Craig
>>>>>>>
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>>>>>>>
>>>>>>> Does this help?
>>>>>>>
>>>>>>> -Patrick
>>>>>>>
>>>>>>> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>>>>>>>
>>>>>>>> Hi Patrick,
>>>>>>>>
>>>>>>>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>> Nice job, but need a bit more to review.
>>>>>>>>>
>>>>>>>>> Thanks! I'm assuming that you mean that you can't vote
+1  
>>>>>>>>> now, but that you'll have time between now and Monday
 
>>>>>>>>> evening, right?
>>>>>>>>
>>>>>>>> Right.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> There's a requirement that all artifacts have an
md5  
>>>>>>>>>> checksum in addition to the asc signature.
>>>>>>>>>
>>>>>>>>> Those should all be generated. In fact, it looks like
we  
>>>>>>>>> even have md5 checksums of the signatures!
>>>>>>>>
>>>>>>>> In the link you sent out
>>>>>>>>>>> A candidate build for OpenJPA 1.1.0 is available
at:
>>>>>>>>>>>
>>>>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>>>>
>>>>>>>> there are only the source and binary distribution files with
 
>>>>>>>> asc sigs, no md5 and no maven artifacts.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Since we plan to put the jar files into the global
maven  
>>>>>>>>>> repo, the artifacts should be on the download site
for  
>>>>>>>>>> review. The jar files also need md5 and asc signatures.
>>>>>>>>>
>>>>>>>>> Everything can be found at people.apache.org/www/ 
>>>>>>>>> openjpa.apache.org/builds/1.1.0.
>>>>>>>>
>>>>>>>> Everything including the kitchen sink. But there are many
 
>>>>>>>> files and plain junk in that location that it's impossible
 
>>>>>>>> for me to review.
>>>>>>>>>
>>>>>>>>> Also, I think it's worth noting that there are definite
 
>>>>>>>>> improvements that we could make in our staging / delivery
 
>>>>>>>>> process. I'd appreciate it if we didn't hold 1.1.0 hostage
 
>>>>>>>>> for those changes. My understanding from Wendy's comments
 
>>>>>>>>> about the last release process was that we needed more
 
>>>>>>>>> signatures; I believe that the new release is sufficiently-

>>>>>>>>> signed. If there are other improvements that we could
make,  
>>>>>>>>> I'm all for making them, but would rather see non- 
>>>>>>>>> showstopping issues get logged and addressed in 1.1.1
etc.
>>>>>>>>
>>>>>>>> The problem is that with all the stuff in the builds/1.1.0
 
>>>>>>>> directory it's not possible to make sense of it. Browsing
the  
>>>>>>>> builds/1.1.0, there are several things that look like maven
 
>>>>>>>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/

>>>>>>>> m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which
has  
>>>>>>>> an extra 1.1.0 directory and has extra files e.g. -rw-rw-r--
  
>>>>>>>> 1 pcl  openjpa       32 May 14 22:36 openjpa- 
>>>>>>>> jdbc-1.1.0.jar.asc.md5 (generally it's not required to  
>>>>>>>> checksum a signature;-).
>>>>>>>>
>>>>>>>> So there's a non-trivial step between the artifacts that
 
>>>>>>>> you've pointed to and the actual release that we propose
to  
>>>>>>>> mirror to the world. And there's no PMC oversight possible
 
>>>>>>>> for that non-trivial step.
>>>>>>>>
>>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>>> artifacts: the source and binary distributions with asc and
 
>>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>>> the mirrored maven repository.
>>>>>>>>
>>>>>>>> Craig
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -Patrick
>>>>>>>>>
>>>>>>>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>>>>>>>
>>>>>>>>>> Hi Patrick,
>>>>>>>>>>
>>>>>>>>>> Nice job, but need a bit more to review.
>>>>>>>>>>
>>>>>>>>>> There's a requirement that all artifacts have an
md5  
>>>>>>>>>> checksum in addition to the asc signature.
>>>>>>>>>>
>>>>>>>>>> Since we plan to put the jar files into the global
maven  
>>>>>>>>>> repo, the artifacts should be on the download site
for  
>>>>>>>>>> review. The jar files also need md5 and asc signatures.
>>>>>>>>>>
>>>>>>>>>> Craig
>>>>>>>>>>
>>>>>>>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>>>>>>>
>>>>>>>>>>> OpenJPA Developers-
>>>>>>>>>>>
>>>>>>>>>>> A candidate build for OpenJPA 1.1.0 is available
at:
>>>>>>>>>>>
>>>>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>>>>>
>>>>>>>>>>> Please review these artifacts and signatures,
and vote  
>>>>>>>>>>> whether we
>>>>>>>>>>> should release them as Apache OpenJPA version
1.1.0.  
>>>>>>>>>>> Release notes
>>>>>>>>>>> for this release are included in the artifact,
or can be  
>>>>>>>>>>> browsed at:
>>>>>>>>>>>
>>>>>>>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>>>>>>>
>>>>>>>>>>> The Apache Release Audit Tool has been run on
the release,  
>>>>>>>>>>> and no
>>>>>>>>>>> missing licenses were found with the exceptions
listed in  
>>>>>>>>>>> the
>>>>>>>>>>> exclusion section of the "rat-maven-plugin" configuration
 
>>>>>>>>>>> in http://
>>>>>>>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml
.
>>>>>>>>>>>
>>>>>>>>>>> In accordance with http://www.apache.org/foundation/
>>>>>>>>>>> voting.html#ReleaseVotes , three +1 votes will
be  
>>>>>>>>>>> sufficient to
>>>>>>>>>>> approve the release for publication. While it
is not  
>>>>>>>>>>> possible to veto
>>>>>>>>>>> a release, the vote will remain open for the
standard 3  
>>>>>>>>>>> day period
>>>>>>>>>>> (ending at 11:30pm Pacific on Monday 5/19) in
order to  
>>>>>>>>>>> allow people to
>>>>>>>>>>> thoroughly review the release and perform whatever
 
>>>>>>>>>>> additional testing
>>>>>>>>>>> they desire and raise any concerns or objections.
>>>>>>>>>>>
>>>>>>>>>>> A vote of "+1" means you approve of the release
for  
>>>>>>>>>>> publication, "-1"
>>>>>>>>>>> means you do not approve, and a "+0" or "-0"
means you are  
>>>>>>>>>>> neutral.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance for your diligence in helping
to ensure  
>>>>>>>>>>> that the
>>>>>>>>>>> quality of the OpenJPA 1.1.0 release reflects
the high  
>>>>>>>>>>> quality of all
>>>>>>>>>>> of its contributors!
>>>>>>>>>>>
>>>>>>>>>>> -Patrick
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Patrick Linskey
>>>>>>>>>>> 202 669 5907
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Craig Russell
>>>>>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Patrick Linskey
>>>>>>>>> 202 669 5907
>>>>>>>>>
>>>>>>>>
>>>>>>>> Craig Russell
>>>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Patrick Linskey
>>>>>>> 202 669 5907
>>>>>>>
>>>>>>
>>>>>> Craig Russell
>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>
>>>>>
>>>>> -- 
>>>>> Patrick Linskey
>>>>> 202 669 5907
>>>>>
>>>>
>>>> Craig Russell
>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>> P.S. A good JDO? O, Gasp!
>>>>
>>>
>>> -- 
>>> Patrick Linskey
>>> 202 669 5907
>>>
>>
>> Craig Russell
>> Architect, Sun Java Enterprise System http://java.sun.com/products/ 
>> jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>
> -- 
> Patrick Linskey
> 202 669 5907
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message