openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Thu, 15 May 2008 21:38:07 GMT
Looking at [1] I don't blame you for throwing up your hands in  
despair: that is ridiculous.

Assuming you have a more or less standard maven build it is very easy  
to add a release profile that automates 95% of those steps and lets  
you release by running

mvn release:prepare -Prelease
mvn release:perform -Prelease

---wait for vote

mvn stage:copy ....

openjpa is pretty much useless to geronimo without all the maven  
artifacts so I'm -1 to any release process that doesn't build and  
deploy them.

I've set up several projects in this way recently and would be happy  
to help.  Note that using the release related plugins often shows up a  
lot of legal goo problems that were previously undetected so this may  
cause a longer release cycle than you expect, although the result is  
likely to be more in line with apache policy.

If you'd like me to take a look please let me know what svn location  
you are trying to release from and what if anything it is a recent  
copy of.

Is there a maven generated web site that needs to be deployed as part  
of the release?

Release instructions for one of the projects I helped with recently  
are at http://activemq.apache.org/release-guide.html ("new method",  
not "old method")

thanks
david jencks

On May 15, 2008, at 12:20 PM, Patrick Linskey wrote:

>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>
>>> Sadly, our process does not seem to support generating such an  
>>> artifact.
>>
>> Then how will the maven artifacts get published?
>>>
>>>
>>> I do not understand what you mean by "reproducible";
>>
>> Reinforcing that you should be able to create the same artifacts by  
>> running the scripts again. No manual to-and-fro should be involved.
>
> From [1], the last step in the release process is:
>
> $ find . \ -name m2-repository -not -path "*openjpa-project*" -exec  
> mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy -Dsource=file://{}  
> -Dtarget=scp://people.apache.org/www/people.apache.org/repo/m2- 
> ibiblio-rsync-repository \ -Dversion=1.0.1 \;
>
> My understanding is that once that script is run, the contents are  
> uploaded to the non-snapshot mvn repository. I.e., if I were to run  
> that script, things would be released to the wild. That sounds to me  
> like something that should happen only once the release is approved,  
> and not before.
>
> So, in other words, the semi-automatic process documented at [1]  
> takes the output that I've linked to and pushes it to the mvn repo  
> directly.
>
> As I pointed out, I think that there is room for improving this  
> process. I would rather, however, cut out the mvn artifacts from the  
> 1.1.0 release than spend the next days rushing through trying to  
> learn about mvn's world view when it comes to further mvn automation.
>
>>> this was all generated in exactly the same manner as prior  
>>> (approved) OpenJPA releases, with the exception that we're now  
>>> generating md5 and asc files for more of the artifacts.
>>
>> And we have had problems with subsequent maven artifact postings,  
>> which I want to fix by having more oversight earlier.
>
> It was my understanding that the only issue that we've encountered  
> in the previous releases was the lack of signed artifacts. I believe  
> that the work that I've done addresses that. As I mentioned above,  
> since our process deploys directly to the mvn repo, I know of no way  
> to validate that that's the case. Further, I am not scared of  
> directly (manually) updating the mvn repo; I was under the  
> impression that it was the artifacts, and not the process, that  
> needed voting / approval.
>
>>> I see lots of m2-repository contents that would seem to conform to  
>>> what maven expects, but I'm no maven expert:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>
>> These directories are not proper maven repositories, so a subset of  
>> these artifacts then need to be copied to completely different  
>> directories. How will this be done? Why can't they be copied "now"  
>> to a temporary maven repo so they can be vetted?
>
> I have no idea what "proper maven repositories" look like.
>
> How about this: let's get rid of all the mvn artifacts from the  
> 1.1.0 release, and focus instead just on the binary and source zips.
>
> -Patrick
>
> [1] http://openjpa.apache.org/releasing-openjpa.html
>
>
> On May 15, 2008, at 12:04 PM, Craig L Russell wrote:
>
>> Hi Patrick,
>>
>> On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:
>>
>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>
>>> Sadly, our process does not seem to support generating such an  
>>> artifact.
>>
>> Then how will the maven artifacts get published?
>>>
>>>
>>> I do not understand what you mean by "reproducible";
>>
>> Reinforcing that you should be able to create the same artifacts by  
>> running the scripts again. No manual to-and-fro should be involved.
>>
>>> this was all generated in exactly the same manner as prior  
>>> (approved) OpenJPA releases, with the exception that we're now  
>>> generating md5 and asc files for more of the artifacts.
>>
>> And we have had problems with subsequent maven artifact postings,  
>> which I want to fix by having more oversight earlier.
>>>
>>>
>>> I see lots of m2-repository contents that would seem to conform to  
>>> what maven expects, but I'm no maven expert:
>>>
>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>
>> These directories are not proper maven repositories, so a subset of  
>> these artifacts then need to be copied to completely different  
>> directories. How will this be done? Why can't they be copied "now"  
>> to a temporary maven repo so they can be vetted?
>>
>> Craig
>>>
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>>>
>>> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>>>
>>> Does this help?
>>>
>>> -Patrick
>>>
>>> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>>>
>>>> Hi Patrick,
>>>>
>>>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>> Nice job, but need a bit more to review.
>>>>>
>>>>> Thanks! I'm assuming that you mean that you can't vote +1 now,  
>>>>> but that you'll have time between now and Monday evening, right?
>>>>
>>>> Right.
>>>>>
>>>>>
>>>>>> There's a requirement that all artifacts have an md5 checksum  
>>>>>> in addition to the asc signature.
>>>>>
>>>>> Those should all be generated. In fact, it looks like we even  
>>>>> have md5 checksums of the signatures!
>>>>
>>>> In the link you sent out
>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>
>>>> there are only the source and binary distribution files with asc  
>>>> sigs, no md5 and no maven artifacts.
>>>>>
>>>>>
>>>>>> Since we plan to put the jar files into the global maven repo,  
>>>>>> the artifacts should be on the download site for review. The  
>>>>>> jar files also need md5 and asc signatures.
>>>>>
>>>>> Everything can be found at people.apache.org/www/ 
>>>>> openjpa.apache.org/builds/1.1.0.
>>>>
>>>> Everything including the kitchen sink. But there are many files  
>>>> and plain junk in that location that it's impossible for me to  
>>>> review.
>>>>>
>>>>> Also, I think it's worth noting that there are definite  
>>>>> improvements that we could make in our staging / delivery  
>>>>> process. I'd appreciate it if we didn't hold 1.1.0 hostage for  
>>>>> those changes. My understanding from Wendy's comments about the  
>>>>> last release process was that we needed more signatures; I  
>>>>> believe that the new release is sufficiently-signed. If there  
>>>>> are other improvements that we could make, I'm all for making  
>>>>> them, but would rather see non-showstopping issues get logged  
>>>>> and addressed in 1.1.1 etc.
>>>>
>>>> The problem is that with all the stuff in the builds/1.1.0  
>>>> directory it's not possible to make sense of it. Browsing the  
>>>> builds/1.1.0, there are several things that look like maven  
>>>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/m2- 
>>>> repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which has an  
>>>> extra 1.1.0 directory and has extra files e.g. -rw-rw-r--  1 pcl   
>>>> openjpa       32 May 14 22:36 openjpa-jdbc-1.1.0.jar.asc.md5  
>>>> (generally it's not required to checksum a signature;-).
>>>>
>>>> So there's a non-trivial step between the artifacts that you've  
>>>> pointed to and the actual release that we propose to mirror to  
>>>> the world. And there's no PMC oversight possible for that non- 
>>>> trivial step.
>>>>
>>>> What we need to vote on are the (reproducible) release artifacts:  
>>>> the source and binary distributions with asc and md5 sig/ 
>>>> checksums; and the maven artifacts that will go into the mirrored  
>>>> maven repository.
>>>>
>>>> Craig
>>>>>
>>>>>
>>>>> -Patrick
>>>>>
>>>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>>>
>>>>>> Hi Patrick,
>>>>>>
>>>>>> Nice job, but need a bit more to review.
>>>>>>
>>>>>> There's a requirement that all artifacts have an md5 checksum  
>>>>>> in addition to the asc signature.
>>>>>>
>>>>>> Since we plan to put the jar files into the global maven repo,  
>>>>>> the artifacts should be on the download site for review. The  
>>>>>> jar files also need md5 and asc signatures.
>>>>>>
>>>>>> Craig
>>>>>>
>>>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>>>
>>>>>>> OpenJPA Developers-
>>>>>>>
>>>>>>> A candidate build for OpenJPA 1.1.0 is available at:
>>>>>>>
>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>
>>>>>>> Please review these artifacts and signatures, and vote whether
 
>>>>>>> we
>>>>>>> should release them as Apache OpenJPA version 1.1.0. Release
 
>>>>>>> notes
>>>>>>> for this release are included in the artifact, or can be  
>>>>>>> browsed at:
>>>>>>>
>>>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>>>
>>>>>>> The Apache Release Audit Tool has been run on the release, and
 
>>>>>>> no
>>>>>>> missing licenses were found with the exceptions listed in the
>>>>>>> exclusion section of the "rat-maven-plugin" configuration in
 
>>>>>>> http://
>>>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
>>>>>>>
>>>>>>> In accordance with http://www.apache.org/foundation/
>>>>>>> voting.html#ReleaseVotes , three +1 votes will be sufficient
to
>>>>>>> approve the release for publication. While it is not possible
 
>>>>>>> to veto
>>>>>>> a release, the vote will remain open for the standard 3 day 

>>>>>>> period
>>>>>>> (ending at 11:30pm Pacific on Monday 5/19) in order to allow
 
>>>>>>> people to
>>>>>>> thoroughly review the release and perform whatever additional
 
>>>>>>> testing
>>>>>>> they desire and raise any concerns or objections.
>>>>>>>
>>>>>>> A vote of "+1" means you approve of the release for  
>>>>>>> publication, "-1"
>>>>>>> means you do not approve, and a "+0" or "-0" means you are  
>>>>>>> neutral.
>>>>>>>
>>>>>>> Thanks in advance for your diligence in helping to ensure that
 
>>>>>>> the
>>>>>>> quality of the OpenJPA 1.1.0 release reflects the high quality
 
>>>>>>> of all
>>>>>>> of its contributors!
>>>>>>>
>>>>>>> -Patrick
>>>>>>>
>>>>>>> -- 
>>>>>>> Patrick Linskey
>>>>>>> 202 669 5907
>>>>>>>
>>>>>>
>>>>>> Craig Russell
>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>
>>>>>
>>>>> -- 
>>>>> Patrick Linskey
>>>>> 202 669 5907
>>>>>
>>>>
>>>> Craig Russell
>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>> P.S. A good JDO? O, Gasp!
>>>>
>>>
>>> -- 
>>> Patrick Linskey
>>> 202 669 5907
>>>
>>
>> Craig Russell
>> Architect, Sun Java Enterprise System http://java.sun.com/products/ 
>> jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>
> -- 
> Patrick Linskey
> 202 669 5907
>


Mime
View raw message