openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 19:04:05 GMT
Hi Patrick,

On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:

>> What we need to vote on are the (reproducible) release artifacts:  
>> the source and binary distributions with asc and md5 sig/checksums;  
>> and the maven artifacts that will go into the mirrored maven  
>> repository.
>
> Sadly, our process does not seem to support generating such an  
> artifact.

Then how will the maven artifacts get published?
>
>
> I do not understand what you mean by "reproducible";

Reinforcing that you should be able to create the same artifacts by  
running the scripts again. No manual to-and-fro should be involved.

> this was all generated in exactly the same manner as prior  
> (approved) OpenJPA releases, with the exception that we're now  
> generating md5 and asc files for more of the artifacts.

And we have had problems with subsequent maven artifact postings,  
which I want to fix by having more oversight earlier.
>
>
> I see lots of m2-repository contents that would seem to conform to  
> what maven expects, but I'm no maven expert:
>
> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/

These directories are not proper maven repositories, so a subset of  
these artifacts then need to be copied to completely different  
directories. How will this be done? Why can't they be copied "now" to  
a temporary maven repo so they can be vetted?

Craig
>
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>
> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>
> Does this help?
>
> -Patrick
>
> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>
>> Hi Patrick,
>>
>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>
>>> Hi,
>>>
>>>> Nice job, but need a bit more to review.
>>>
>>> Thanks! I'm assuming that you mean that you can't vote +1 now, but  
>>> that you'll have time between now and Monday evening, right?
>>
>> Right.
>>>
>>>
>>>> There's a requirement that all artifacts have an md5 checksum in  
>>>> addition to the asc signature.
>>>
>>> Those should all be generated. In fact, it looks like we even have  
>>> md5 checksums of the signatures!
>>
>> In the link you sent out
>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>
>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>
>> there are only the source and binary distribution files with asc  
>> sigs, no md5 and no maven artifacts.
>>>
>>>
>>>> Since we plan to put the jar files into the global maven repo,  
>>>> the artifacts should be on the download site for review. The jar  
>>>> files also need md5 and asc signatures.
>>>
>>> Everything can be found at people.apache.org/www/ 
>>> openjpa.apache.org/builds/1.1.0.
>>
>> Everything including the kitchen sink. But there are many files and  
>> plain junk in that location that it's impossible for me to review.
>>>
>>> Also, I think it's worth noting that there are definite  
>>> improvements that we could make in our staging / delivery process.  
>>> I'd appreciate it if we didn't hold 1.1.0 hostage for those  
>>> changes. My understanding from Wendy's comments about the last  
>>> release process was that we needed more signatures; I believe that  
>>> the new release is sufficiently-signed. If there are other  
>>> improvements that we could make, I'm all for making them, but  
>>> would rather see non-showstopping issues get logged and addressed  
>>> in 1.1.1 etc.
>>
>> The problem is that with all the stuff in the builds/1.1.0  
>> directory it's not possible to make sense of it. Browsing the  
>> builds/1.1.0, there are several things that look like maven  
>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/m2- 
>> repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which has an extra  
>> 1.1.0 directory and has extra files e.g. -rw-rw-r--  1 pcl   
>> openjpa       32 May 14 22:36 openjpa-jdbc-1.1.0.jar.asc.md5  
>> (generally it's not required to checksum a signature;-).
>>
>> So there's a non-trivial step between the artifacts that you've  
>> pointed to and the actual release that we propose to mirror to the  
>> world. And there's no PMC oversight possible for that non-trivial  
>> step.
>>
>> What we need to vote on are the (reproducible) release artifacts:  
>> the source and binary distributions with asc and md5 sig/checksums;  
>> and the maven artifacts that will go into the mirrored maven  
>> repository.
>>
>> Craig
>>>
>>>
>>> -Patrick
>>>
>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>
>>>> Hi Patrick,
>>>>
>>>> Nice job, but need a bit more to review.
>>>>
>>>> There's a requirement that all artifacts have an md5 checksum in  
>>>> addition to the asc signature.
>>>>
>>>> Since we plan to put the jar files into the global maven repo,  
>>>> the artifacts should be on the download site for review. The jar  
>>>> files also need md5 and asc signatures.
>>>>
>>>> Craig
>>>>
>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>
>>>>> OpenJPA Developers-
>>>>>
>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>
>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>
>>>>> Please review these artifacts and signatures, and vote whether we
>>>>> should release them as Apache OpenJPA version 1.1.0. Release notes
>>>>> for this release are included in the artifact, or can be browsed  
>>>>> at:
>>>>>
>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>
>>>>> The Apache Release Audit Tool has been run on the release, and no
>>>>> missing licenses were found with the exceptions listed in the
>>>>> exclusion section of the "rat-maven-plugin" configuration in  
>>>>> http://
>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>>>
>>>>> In accordance with http://www.apache.org/foundation/
>>>>> voting.html#ReleaseVotes , three +1 votes will be sufficient to
>>>>> approve the release for publication. While it is not possible to  
>>>>> veto
>>>>> a release, the vote will remain open for the standard 3 day period
>>>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow  
>>>>> people to
>>>>> thoroughly review the release and perform whatever additional  
>>>>> testing
>>>>> they desire and raise any concerns or objections.
>>>>>
>>>>> A vote of "+1" means you approve of the release for publication,  
>>>>> "-1"
>>>>> means you do not approve, and a "+0" or "-0" means you are  
>>>>> neutral.
>>>>>
>>>>> Thanks in advance for your diligence in helping to ensure that the
>>>>> quality of the OpenJPA 1.1.0 release reflects the high quality  
>>>>> of all
>>>>> of its contributors!
>>>>>
>>>>> -Patrick
>>>>>
>>>>> -- 
>>>>> Patrick Linskey
>>>>> 202 669 5907
>>>>>
>>>>
>>>> Craig Russell
>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>> P.S. A good JDO? O, Gasp!
>>>>
>>>
>>> -- 
>>> Patrick Linskey
>>> 202 669 5907
>>>
>>
>> Craig Russell
>> Architect, Sun Java Enterprise System http://java.sun.com/products/ 
>> jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>
> -- 
> Patrick Linskey
> 202 669 5907
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message