openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 21:13:46 GMT
Ok,

How about doing something like this:
> $ find . \ -name m2-repository -not -path "*openjpa-project*" -exec  
> mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy -Dsource=file://{}  
> -Dtarget=scp://people.apache.org/home/pcl/release-candidate/1.0.0/ 
> repo/m2-ibiblio-rsync-repository \ -Dversion=1.0.1 \;

Then we can look at what you will do after the vote completes and  
argue about whether the artifacts are correct.

Craig

On May 15, 2008, at 12:20 PM, Patrick Linskey wrote:

>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>
>>> Sadly, our process does not seem to support generating such an  
>>> artifact.
>>
>> Then how will the maven artifacts get published?
>>>
>>>
>>> I do not understand what you mean by "reproducible";
>>
>> Reinforcing that you should be able to create the same artifacts by  
>> running the scripts again. No manual to-and-fro should be involved.
>
> From [1], the last step in the release process is:
>
> $ find . \ -name m2-repository -not -path "*openjpa-project*" -exec  
> mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy -Dsource=file://{}  
> -Dtarget=scp://people.apache.org/www/people.apache.org/repo/m2- 
> ibiblio-rsync-repository \ -Dversion=1.0.1 \;
>
> My understanding is that once that script is run, the contents are  
> uploaded to the non-snapshot mvn repository. I.e., if I were to run  
> that script, things would be released to the wild. That sounds to me  
> like something that should happen only once the release is approved,  
> and not before.
>
> So, in other words, the semi-automatic process documented at [1]  
> takes the output that I've linked to and pushes it to the mvn repo  
> directly.
>
> As I pointed out, I think that there is room for improving this  
> process. I would rather, however, cut out the mvn artifacts from the  
> 1.1.0 release than spend the next days rushing through trying to  
> learn about mvn's world view when it comes to further mvn automation.
>
>>> this was all generated in exactly the same manner as prior  
>>> (approved) OpenJPA releases, with the exception that we're now  
>>> generating md5 and asc files for more of the artifacts.
>>
>> And we have had problems with subsequent maven artifact postings,  
>> which I want to fix by having more oversight earlier.
>
> It was my understanding that the only issue that we've encountered  
> in the previous releases was the lack of signed artifacts. I believe  
> that the work that I've done addresses that. As I mentioned above,  
> since our process deploys directly to the mvn repo, I know of no way  
> to validate that that's the case. Further, I am not scared of  
> directly (manually) updating the mvn repo; I was under the  
> impression that it was the artifacts, and not the process, that  
> needed voting / approval.
>
>>> I see lots of m2-repository contents that would seem to conform to  
>>> what maven expects, but I'm no maven expert:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>
>> These directories are not proper maven repositories, so a subset of  
>> these artifacts then need to be copied to completely different  
>> directories. How will this be done? Why can't they be copied "now"  
>> to a temporary maven repo so they can be vetted?
>
> I have no idea what "proper maven repositories" look like.
>
> How about this: let's get rid of all the mvn artifacts from the  
> 1.1.0 release, and focus instead just on the binary and source zips.
>
> -Patrick
>
> [1] http://openjpa.apache.org/releasing-openjpa.html
>
>
> On May 15, 2008, at 12:04 PM, Craig L Russell wrote:
>
>> Hi Patrick,
>>
>> On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:
>>
>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>
>>> Sadly, our process does not seem to support generating such an  
>>> artifact.
>>
>> Then how will the maven artifacts get published?
>>>
>>>
>>> I do not understand what you mean by "reproducible";
>>
>> Reinforcing that you should be able to create the same artifacts by  
>> running the scripts again. No manual to-and-fro should be involved.
>>
>>> this was all generated in exactly the same manner as prior  
>>> (approved) OpenJPA releases, with the exception that we're now  
>>> generating md5 and asc files for more of the artifacts.
>>
>> And we have had problems with subsequent maven artifact postings,  
>> which I want to fix by having more oversight earlier.
>>>
>>>
>>> I see lots of m2-repository contents that would seem to conform to  
>>> what maven expects, but I'm no maven expert:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>
>> These directories are not proper maven repositories, so a subset of  
>> these artifacts then need to be copied to completely different  
>> directories. How will this be done? Why can't they be copied "now"  
>> to a temporary maven repo so they can be vetted?
>>
>> Craig
>>>
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>>>
>>> Does this help?
>>>
>>> -Patrick
>>>
>>> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>>>
>>>> Hi Patrick,
>>>>
>>>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>> Nice job, but need a bit more to review.
>>>>>
>>>>> Thanks! I'm assuming that you mean that you can't vote +1 now,  
>>>>> but that you'll have time between now and Monday evening, right?
>>>>
>>>> Right.
>>>>>
>>>>>
>>>>>> There's a requirement that all artifacts have an md5 checksum  
>>>>>> in addition to the asc signature.
>>>>>
>>>>> Those should all be generated. In fact, it looks like we even  
>>>>> have md5 checksums of the signatures!
>>>>
>>>> In the link you sent out
>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>
>>>> there are only the source and binary distribution files with asc  
>>>> sigs, no md5 and no maven artifacts.
>>>>>
>>>>>
>>>>>> Since we plan to put the jar files into the global maven repo,  
>>>>>> the artifacts should be on the download site for review. The  
>>>>>> jar files also need md5 and asc signatures.
>>>>>
>>>>> Everything can be found at people.apache.org/www/ 
>>>>> openjpa.apache.org/builds/1.1.0.
>>>>
>>>> Everything including the kitchen sink. But there are many files  
>>>> and plain junk in that location that it's impossible for me to  
>>>> review.
>>>>>
>>>>> Also, I think it's worth noting that there are definite  
>>>>> improvements that we could make in our staging / delivery  
>>>>> process. I'd appreciate it if we didn't hold 1.1.0 hostage for  
>>>>> those changes. My understanding from Wendy's comments about the  
>>>>> last release process was that we needed more signatures; I  
>>>>> believe that the new release is sufficiently-signed. If there  
>>>>> are other improvements that we could make, I'm all for making  
>>>>> them, but would rather see non-showstopping issues get logged  
>>>>> and addressed in 1.1.1 etc.
>>>>
>>>> The problem is that with all the stuff in the builds/1.1.0  
>>>> directory it's not possible to make sense of it. Browsing the  
>>>> builds/1.1.0, there are several things that look like maven  
>>>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/m2- 
>>>> repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which has an  
>>>> extra 1.1.0 directory and has extra files e.g. -rw-rw-r--  1 pcl   
>>>> openjpa       32 May 14 22:36 openjpa-jdbc-1.1.0.jar.asc.md5  
>>>> (generally it's not required to checksum a signature;-).
>>>>
>>>> So there's a non-trivial step between the artifacts that you've  
>>>> pointed to and the actual release that we propose to mirror to  
>>>> the world. And there's no PMC oversight possible for that non- 
>>>> trivial step.
>>>>
>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>>
>>>> Craig
>>>>>
>>>>>
>>>>> -Patrick
>>>>>
>>>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>>>
>>>>>> Hi Patrick,
>>>>>>
>>>>>> Nice job, but need a bit more to review.
>>>>>>
>>>>>> There's a requirement that all artifacts have an md5 checksum  
>>>>>> in addition to the asc signature.
>>>>>>
>>>>>> Since we plan to put the jar files into the global maven repo,  
>>>>>> the artifacts should be on the download site for review. The  
>>>>>> jar files also need md5 and asc signatures.
>>>>>>
>>>>>> Craig
>>>>>>
>>>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>>>
>>>>>>> OpenJPA Developers-
>>>>>>>
>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>
>>>>>>> Please review these artifacts and signatures, and vote whether
 
>>>>>>> we
>>>>>>> should release them as Apache OpenJPA version 1.1.0. Release
 
>>>>>>> notes
>>>>>>> for this release are included in the artifact, or can be  
>>>>>>> browsed at:
>>>>>>>
>>>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>>>
>>>>>>> The Apache Release Audit Tool has been run on the release, and
 
>>>>>>> no
>>>>>>> missing licenses were found with the exceptions listed in the
>>>>>>> exclusion section of the "rat-maven-plugin" configuration in
 
>>>>>>> http://
>>>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>>>>>
>>>>>>> In accordance with http://www.apache.org/foundation/
>>>>>>> voting.html#ReleaseVotes , three +1 votes will be sufficient
to
>>>>>>> approve the release for publication. While it is not possible
 
>>>>>>> to veto
>>>>>>> a release, the vote will remain open for the standard 3 day 

>>>>>>> period
>>>>>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow
 
>>>>>>> people to
>>>>>>> thoroughly review the release and perform whatever additional
 
>>>>>>> testing
>>>>>>> they desire and raise any concerns or objections.
>>>>>>>
>>>>>>> A vote of "+1" means you approve of the release for  
>>>>>>> publication, "-1"
>>>>>>> means you do not approve, and a "+0" or "-0" means you are  
>>>>>>> neutral.
>>>>>>>
>>>>>>> Thanks in advance for your diligence in helping to ensure that
 
>>>>>>> the
>>>>>>> quality of the OpenJPA 1.1.0 release reflects the high quality
 
>>>>>>> of all
>>>>>>> of its contributors!
>>>>>>>
>>>>>>> -Patrick
>>>>>>>
>>>>>>> -- 
>>>>>>> Patrick Linskey
>>>>>>> 202 669 5907
>>>>>>>
>>>>>>
>>>>>> Craig Russell
>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>
>>>>>
>>>>> -- 
>>>>> Patrick Linskey
>>>>> 202 669 5907
>>>>>
>>>>
>>>> Craig Russell
>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>> P.S. A good JDO? O, Gasp!
>>>>
>>>
>>> -- 
>>> Patrick Linskey
>>> 202 669 5907
>>>
>>
>> Craig Russell
>> Architect, Sun Java Enterprise System http://java.sun.com/products/ 
>> jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>
> -- 
> Patrick Linskey
> 202 669 5907
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message