On Sun, Apr 15, 2018 at 10:11 AM Sean Busbey <bus...@apache.org> wrote:
> -1 on the RC vote > > I agree that in the staged maven repository we should stick to SHOULD > guidance until such time that the maven tooling has a supported option to > use correct checksums. (Have we verified that the relevant tooling at a > minimum has a request in to add it?) > > https://issues.apache.org/jira/browse/MNGSITE-328, and related issues track this. > However, I can't verify that the source artifact or any other artifacts > that we'll eventually place in dist.a.o/release has correct checksums that > meet the current release distribution policy simply because we don't have > the relevant bits posted here in the RC. > > You can't verify the contents of what will eventually be there anyway... anybody could copy things incorrectly. But, they *should* be what was in the staging directory... so you can always do a byte-for-byte comparison to the staging repo (which gets promoted to Maven Central) and verify the checksum matches that. > Why don't we go back to providing both a staged maven repo and an RC > directory in the ASF dev part of dist.a.o[4]? Plenty of other projects use > that area to stage RCs that have correct checksums. > > "go back to" doesn't make sense here. To my knowledge, we've never done this. While using this SVN dev area is somewhat common now, before we started staging in Nexus consistently, the SVN dev area on dist was not standard, and people staged tarballs in people.apache.org and elsewhere. When a release vote passed, people would do a `mvn deploy` from the unpacked source tarball or from the SVN tag (meaning the jars in the binary tarball did not match what was in Maven Central, and possibly from a slightly different source with no way to verify). Staging in Nexus solved all of that. Furthermore, two staging areas causes additional concerns (which one is canonical? What if some people only test one, but not the other? What if SVN contents change because unlike a closed Nexus staging repository, SVN directory contents are not immutable?). I've thought about modifying our build.sh script to stage stuff in SVN to help reduce human error... but it doesn't entirely address all those concerns about two staging areas. Additionally, that's a new step being added to the release process... and discussions about changing our release process to do additional things like that fall outside the scope of this release vote. We're voting on the release artifacts here, not voting on revamping the release process. Let's not hold up a release because of wish list items for the release process. Since it seems to be a problem for folks this time around... I've manually staged the artifacts in: https://dist.apache.org/repos/dist/dev/accumulo/1.9.0-rc1 Does that change anybody's vote? > [4]: https://dist.apache.org/repos/dist/dev/accumulo/ > > On 2018/04/15 05:35:39, Christopher <ctubb...@apache.org> wrote: > > Mike, > > > > We use stronger checksums (SHA512) in the SVN[1] area and downloads > page[2] > > after a vote passes. In fact, we're one of the only "perfect projects" in > > regards to compliance with this policy[3]. > > > > The Maven staging area doesn't follow all the "SHOULD" statements, but > > that's only because these checksums are automatically generated by > > maven-deploy-plugin, and not under our direct control. However, it still > > follows all the "MUST" statements, so it is still in compliance with the > > cited policy. Unless we're willing to circumvent standard Maven tooling > and > > risk breaking things which depend on the conventions established by this > > tooling (which, to be clear, I think would be a really terribly bad > idea), > > we simply cannot follow all the "SHOULD" statements for the Maven staging > > area. > > > > [1]: https://www.apache.org/dist/accumulo/ > > [2]: https://accumulo.apache.org/downloads/ > > [3]: https://checker.apache.org/dist/unsummed.html > > > > On Sat, Apr 14, 2018 at 11:13 PM Mike Drob <md...@mdrob.com> wrote: > > > > > -0 > > > > > > please do not publish md5 sums > > > please add missing sha256 sums > > > > > > apache release policy: > > > http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > > > On Sat, Apr 14, 2018 at 11:37 AM, Mike Walch <mwa...@apache.org> > wrote: > > > > > > > +1 > > > > > > > > * Verified sha1 & md5 hashes matched > > > > * Verified signatures > > > > * Ran binary tarball locally using Uno > > > > * Ran 'mvn verify' successfully for wikisearch using RC jars > > > > > > > > On Thu, Apr 12, 2018 at 6:21 PM, Christopher <ctubb...@apache.org> > > > wrote: > > > > > > > > > Accumulo Developers, > > > > > > > > > > Please consider the following candidate for Apache Accumulo 1.9.0. > > > > > > > > > > Git Commit: > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > Branch: > > > > > 1.9.0-rc1 > > > > > > > > > > If this vote passes, a gpg-signed tag will be created using: > > > > > git tag -f -m 'Apache Accumulo 1.9.0' -s rel/1.9.0 \ > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > > > > > > Staging repo: > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1070 > > > > > Source (official release artifact): > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-src.tar.gz > > > > > Binary: > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-bin.tar.gz > > > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash > for a > > > > > given artifact.) > > > > > > > > > > All artifacts were built and staged with: > > > > > mvn release:prepare && mvn release:perform > > > > > > > > > > Signing keys are available at > > > https://www.apache.org/dist/accumulo/KEYS > > > > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > > > > > > > > > Release notes (in progress) can be found at: > > > > > https://accumulo.apache.org/release/accumulo-1.9.0/ > > > > > > > > > > Please vote one of: > > > > > [ ] +1 - I have verified and accept... > > > > > [ ] +0 - I have reservations, but not strong enough to vote > against... > > > > > [ ] -1 - Because..., I do not accept... > > > > > ... these artifacts as the 1.9.0 release of Apache Accumulo. > > > > > > > > > > This vote will remain open until at least Sun Apr 15 22:30:00 UTC > 2018 > > > > > (Sun Apr 15 18:30:00 EDT 2018 / Sun Apr 15 15:30:00 PDT 2018). > > > > > Voting continues until the release manager sends an email closing > the > > > > vote. > > > > > > > > > > Thanks! > > > > > > > > > > P.S. Hint: download the whole staging repo with > > > > > wget -erobots=off -r -l inf -np -nH \ > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1070/ > > > > > # note the trailing slash is needed > > > > > > > > > > > > > > >
