openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Linskey <plins...@gmail.com>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 22:16:09 GMT
Done. You can browse the results at http://people.apache.org/~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository

, or look at it on people.apache.org at ~pcl/public_html/release- 
candidates/1.1.0/repo/m2-ibiblio-rsync-repository.

-Patrick

On May 15, 2008, at 2:13 PM, Craig L Russell wrote:

> Ok,
>
> How about doing something like this:
>> $ find . \ -name m2-repository -not -path "*openjpa-project*" -exec  
>> mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy -Dsource=file:// 
>> {} -Dtarget=scp://people.apache.org/home/pcl/release-candidate/ 
>> 1.0.0/repo/m2-ibiblio-rsync-repository \ -Dversion=1.0.1 \;
>
> Then we can look at what you will do after the vote completes and  
> argue about whether the artifacts are correct.
>
> Craig
>
> On May 15, 2008, at 12:20 PM, Patrick Linskey wrote:
>
>>>>> What we need to vote on are the (reproducible) release  
>>>>> artifacts: the source and binary distributions with asc and md5  
>>>>> sig/checksums; and the maven artifacts that will go into the  
>>>>> mirrored maven repository.
>>>>
>>>> Sadly, our process does not seem to support generating such an  
>>>> artifact.
>>>
>>> Then how will the maven artifacts get published?
>>>>
>>>>
>>>> I do not understand what you mean by "reproducible";
>>>
>>> Reinforcing that you should be able to create the same artifacts  
>>> by running the scripts again. No manual to-and-fro should be  
>>> involved.
>>
>> From [1], the last step in the release process is:
>>
>> $ find . \ -name m2-repository -not -path "*openjpa-project*" -exec  
>> mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy -Dsource=file:// 
>> {} -Dtarget=scp://people.apache.org/www/people.apache.org/repo/m2- 
>> ibiblio-rsync-repository \ -Dversion=1.0.1 \;
>>
>> My understanding is that once that script is run, the contents are  
>> uploaded to the non-snapshot mvn repository. I.e., if I were to run  
>> that script, things would be released to the wild. That sounds to  
>> me like something that should happen only once the release is  
>> approved, and not before.
>>
>> So, in other words, the semi-automatic process documented at [1]  
>> takes the output that I've linked to and pushes it to the mvn repo  
>> directly.
>>
>> As I pointed out, I think that there is room for improving this  
>> process. I would rather, however, cut out the mvn artifacts from  
>> the 1.1.0 release than spend the next days rushing through trying  
>> to learn about mvn's world view when it comes to further mvn  
>> automation.
>>
>>>> this was all generated in exactly the same manner as prior  
>>>> (approved) OpenJPA releases, with the exception that we're now  
>>>> generating md5 and asc files for more of the artifacts.
>>>
>>> And we have had problems with subsequent maven artifact postings,  
>>> which I want to fix by having more oversight earlier.
>>
>> It was my understanding that the only issue that we've encountered  
>> in the previous releases was the lack of signed artifacts. I  
>> believe that the work that I've done addresses that. As I mentioned  
>> above, since our process deploys directly to the mvn repo, I know  
>> of no way to validate that that's the case. Further, I am not  
>> scared of directly (manually) updating the mvn repo; I was under  
>> the impression that it was the artifacts, and not the process, that  
>> needed voting / approval.
>>
>>>> I see lots of m2-repository contents that would seem to conform  
>>>> to what maven expects, but I'm no maven expert:
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>
>>> These directories are not proper maven repositories, so a subset  
>>> of these artifacts then need to be copied to completely different  
>>> directories. How will this be done? Why can't they be copied "now"  
>>> to a temporary maven repo so they can be vetted?
>>
>> I have no idea what "proper maven repositories" look like.
>>
>> How about this: let's get rid of all the mvn artifacts from the  
>> 1.1.0 release, and focus instead just on the binary and source zips.
>>
>> -Patrick
>>
>> [1] http://openjpa.apache.org/releasing-openjpa.html
>>
>>
>> On May 15, 2008, at 12:04 PM, Craig L Russell wrote:
>>
>>> Hi Patrick,
>>>
>>> On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:
>>>
>>>>> What we need to vote on are the (reproducible) release  
>>>>> artifacts: the source and binary distributions with asc and md5  
>>>>> sig/checksums; and the maven artifacts that will go into the  
>>>>> mirrored maven repository.
>>>>
>>>> Sadly, our process does not seem to support generating such an  
>>>> artifact.
>>>
>>> Then how will the maven artifacts get published?
>>>>
>>>>
>>>> I do not understand what you mean by "reproducible";
>>>
>>> Reinforcing that you should be able to create the same artifacts  
>>> by running the scripts again. No manual to-and-fro should be  
>>> involved.
>>>
>>>> this was all generated in exactly the same manner as prior  
>>>> (approved) OpenJPA releases, with the exception that we're now  
>>>> generating md5 and asc files for more of the artifacts.
>>>
>>> And we have had problems with subsequent maven artifact postings,  
>>> which I want to fix by having more oversight earlier.
>>>>
>>>>
>>>> I see lots of m2-repository contents that would seem to conform  
>>>> to what maven expects, but I'm no maven expert:
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>
>>> These directories are not proper maven repositories, so a subset  
>>> of these artifacts then need to be copied to completely different  
>>> directories. How will this be done? Why can't they be copied "now"  
>>> to a temporary maven repo so they can be vetted?
>>>
>>> Craig
>>>>
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>>>>
>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>>>>
>>>> Does this help?
>>>>
>>>> -Patrick
>>>>
>>>> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>>>>
>>>>> Hi Patrick,
>>>>>
>>>>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>> Nice job, but need a bit more to review.
>>>>>>
>>>>>> Thanks! I'm assuming that you mean that you can't vote +1 now,  
>>>>>> but that you'll have time between now and Monday evening, right?
>>>>>
>>>>> Right.
>>>>>>
>>>>>>
>>>>>>> There's a requirement that all artifacts have an md5 checksum
 
>>>>>>> in addition to the asc signature.
>>>>>>
>>>>>> Those should all be generated. In fact, it looks like we even  
>>>>>> have md5 checksums of the signatures!
>>>>>
>>>>> In the link you sent out
>>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>>
>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>
>>>>> there are only the source and binary distribution files with asc  
>>>>> sigs, no md5 and no maven artifacts.
>>>>>>
>>>>>>
>>>>>>> Since we plan to put the jar files into the global maven repo,
 
>>>>>>> the artifacts should be on the download site for review. The
 
>>>>>>> jar files also need md5 and asc signatures.
>>>>>>
>>>>>> Everything can be found at people.apache.org/www/ 
>>>>>> openjpa.apache.org/builds/1.1.0.
>>>>>
>>>>> Everything including the kitchen sink. But there are many files  
>>>>> and plain junk in that location that it's impossible for me to  
>>>>> review.
>>>>>>
>>>>>> Also, I think it's worth noting that there are definite  
>>>>>> improvements that we could make in our staging / delivery  
>>>>>> process. I'd appreciate it if we didn't hold 1.1.0 hostage for  
>>>>>> those changes. My understanding from Wendy's comments about the 

>>>>>> last release process was that we needed more signatures; I  
>>>>>> believe that the new release is sufficiently-signed. If there  
>>>>>> are other improvements that we could make, I'm all for making  
>>>>>> them, but would rather see non-showstopping issues get logged  
>>>>>> and addressed in 1.1.1 etc.
>>>>>
>>>>> The problem is that with all the stuff in the builds/1.1.0  
>>>>> directory it's not possible to make sense of it. Browsing the  
>>>>> builds/1.1.0, there are several things that look like maven  
>>>>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/m2- 
>>>>> repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which has an  
>>>>> extra 1.1.0 directory and has extra files e.g. -rw-rw-r--  1  
>>>>> pcl  openjpa       32 May 14 22:36 openjpa- 
>>>>> jdbc-1.1.0.jar.asc.md5 (generally it's not required to checksum  
>>>>> a signature;-).
>>>>>
>>>>> So there's a non-trivial step between the artifacts that you've  
>>>>> pointed to and the actual release that we propose to mirror to  
>>>>> the world. And there's no PMC oversight possible for that non- 
>>>>> trivial step.
>>>>>
>>>>> What we need to vote on are the (reproducible) release  
>>>>> artifacts: the source and binary distributions with asc and md5  
>>>>> sig/checksums; and the maven artifacts that will go into the  
>>>>> mirrored maven repository.
>>>>>
>>>>> Craig
>>>>>>
>>>>>>
>>>>>> -Patrick
>>>>>>
>>>>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>>>>
>>>>>>> Hi Patrick,
>>>>>>>
>>>>>>> Nice job, but need a bit more to review.
>>>>>>>
>>>>>>> There's a requirement that all artifacts have an md5 checksum
 
>>>>>>> in addition to the asc signature.
>>>>>>>
>>>>>>> Since we plan to put the jar files into the global maven repo,
 
>>>>>>> the artifacts should be on the download site for review. The
 
>>>>>>> jar files also need md5 and asc signatures.
>>>>>>>
>>>>>>> Craig
>>>>>>>
>>>>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>>>>
>>>>>>>> OpenJPA Developers-
>>>>>>>>
>>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>>
>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>>
>>>>>>>> Please review these artifacts and signatures, and vote  
>>>>>>>> whether we
>>>>>>>> should release them as Apache OpenJPA version 1.1.0. Release
 
>>>>>>>> notes
>>>>>>>> for this release are included in the artifact, or can be
 
>>>>>>>> browsed at:
>>>>>>>>
>>>>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>>>>
>>>>>>>> The Apache Release Audit Tool has been run on the release,
 
>>>>>>>> and no
>>>>>>>> missing licenses were found with the exceptions listed in
the
>>>>>>>> exclusion section of the "rat-maven-plugin" configuration
in  
>>>>>>>> http://
>>>>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>>>>>>
>>>>>>>> In accordance with http://www.apache.org/foundation/
>>>>>>>> voting.html#ReleaseVotes , three +1 votes will be sufficient
to
>>>>>>>> approve the release for publication. While it is not possible
 
>>>>>>>> to veto
>>>>>>>> a release, the vote will remain open for the standard 3 day
 
>>>>>>>> period
>>>>>>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow
 
>>>>>>>> people to
>>>>>>>> thoroughly review the release and perform whatever additional
 
>>>>>>>> testing
>>>>>>>> they desire and raise any concerns or objections.
>>>>>>>>
>>>>>>>> A vote of "+1" means you approve of the release for  
>>>>>>>> publication, "-1"
>>>>>>>> means you do not approve, and a "+0" or "-0" means you are
 
>>>>>>>> neutral.
>>>>>>>>
>>>>>>>> Thanks in advance for your diligence in helping to ensure
 
>>>>>>>> that the
>>>>>>>> quality of the OpenJPA 1.1.0 release reflects the high  
>>>>>>>> quality of all
>>>>>>>> of its contributors!
>>>>>>>>
>>>>>>>> -Patrick
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Patrick Linskey
>>>>>>>> 202 669 5907
>>>>>>>>
>>>>>>>
>>>>>>> Craig Russell
>>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Patrick Linskey
>>>>>> 202 669 5907
>>>>>>
>>>>>
>>>>> Craig Russell
>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>> P.S. A good JDO? O, Gasp!
>>>>>
>>>>
>>>> -- 
>>>> Patrick Linskey
>>>> 202 669 5907
>>>>
>>>
>>> Craig Russell
>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>> P.S. A good JDO? O, Gasp!
>>>
>>
>> -- 
>> Patrick Linskey
>> 202 669 5907
>>
>
> Craig Russell
> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>

-- 
Patrick Linskey
202 669 5907


Mime
View raw message