openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 17:32:38 GMT
Hi Patrick,

On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:

> Hi,
>
>> Nice job, but need a bit more to review.
>
> Thanks! I'm assuming that you mean that you can't vote +1 now, but  
> that you'll have time between now and Monday evening, right?

Right.
>
>
>> There's a requirement that all artifacts have an md5 checksum in  
>> addition to the asc signature.
>
> Those should all be generated. In fact, it looks like we even have  
> md5 checksums of the signatures!

In the link you sent out
>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>
there are only the source and binary distribution files with asc sigs,  
no md5 and no maven artifacts.
>
>
>> Since we plan to put the jar files into the global maven repo, the  
>> artifacts should be on the download site for review. The jar files  
>> also need md5 and asc signatures.
>
> Everything can be found at people.apache.org/www/openjpa.apache.org/ 
> builds/1.1.0.

Everything including the kitchen sink. But there are many files and  
plain junk in that location that it's impossible for me to review.
>
> Also, I think it's worth noting that there are definite improvements  
> that we could make in our staging / delivery process. I'd appreciate  
> it if we didn't hold 1.1.0 hostage for those changes. My  
> understanding from Wendy's comments about the last release process  
> was that we needed more signatures; I believe that the new release  
> is sufficiently-signed. If there are other improvements that we  
> could make, I'm all for making them, but would rather see non- 
> showstopping issues get logged and addressed in 1.1.1 etc.

The problem is that with all the stuff in the builds/1.1.0 directory  
it's not possible to make sense of it. Browsing the builds/1.1.0,  
there are several things that look like maven artifacts but they're in  
the wrong place, e.g. openjpa-jdbc/m2-repository/org/apache/openjpa/ 
openjpa-jdbc/1.1.0 which has an extra 1.1.0 directory and has extra  
files e.g. -rw-rw-r--  1 pcl  openjpa       32 May 14 22:36 openjpa- 
jdbc-1.1.0.jar.asc.md5 (generally it's not required to checksum a  
signature;-).

So there's a non-trivial step between the artifacts that you've  
pointed to and the actual release that we propose to mirror to the  
world. And there's no PMC oversight possible for that non-trivial step.

What we need to vote on are the (reproducible) release artifacts: the  
source and binary distributions with asc and md5 sig/checksums; and  
the maven artifacts that will go into the mirrored maven repository.

Craig
>
>
> -Patrick
>
> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>
>> Hi Patrick,
>>
>> Nice job, but need a bit more to review.
>>
>> There's a requirement that all artifacts have an md5 checksum in  
>> addition to the asc signature.
>>
>> Since we plan to put the jar files into the global maven repo, the  
>> artifacts should be on the download site for review. The jar files  
>> also need md5 and asc signatures.
>>
>> Craig
>>
>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>
>>> OpenJPA Developers-
>>>
>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>
>>> Please review these artifacts and signatures, and vote whether we
>>> should release them as Apache OpenJPA version 1.1.0. Release notes
>>> for this release are included in the artifact, or can be browsed at:
>>>
>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>
>>> The Apache Release Audit Tool has been run on the release, and no
>>> missing licenses were found with the exceptions listed in the
>>> exclusion section of the "rat-maven-plugin" configuration in http://
>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>
>>> In accordance with http://www.apache.org/foundation/
>>> voting.html#ReleaseVotes , three +1 votes will be sufficient to
>>> approve the release for publication. While it is not possible to  
>>> veto
>>> a release, the vote will remain open for the standard 3 day period
>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow  
>>> people to
>>> thoroughly review the release and perform whatever additional  
>>> testing
>>> they desire and raise any concerns or objections.
>>>
>>> A vote of "+1" means you approve of the release for publication,  
>>> "-1"
>>> means you do not approve, and a "+0" or "-0" means you are neutral.
>>>
>>> Thanks in advance for your diligence in helping to ensure that the
>>> quality of the OpenJPA 1.1.0 release reflects the high quality of  
>>> all
>>> of its contributors!
>>>
>>> -Patrick
>>>
>>> -- 
>>> Patrick Linskey
>>> 202 669 5907
>>>
>>
>> Craig Russell
>> Architect, Sun Java Enterprise System http://java.sun.com/products/ 
>> jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>
> -- 
> Patrick Linskey
> 202 669 5907
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message