I don't have strong feelings about how we implement hosting the RC, but I do want the RC to contain the actual checksum that we're going to use when we publish on dist.a.o in the release.
Otherwise we're not verifying that said checksum is correct for the artifact we're voting on, which is part of the point of us having a release vote. Publishing via the dev part of dist.a.o is one way to do that. If the community prefers some other way, that's fine by me as well. On 2018/04/15 16:23:02, Mike Walch <mwa...@apache.org> wrote: > I am trying to understand what you are looking for with your -1. > > It sounds like you want following files created in > https://dist.apache.org/repos/dist/dev/accumulo/1.9.0 for each release > candidate: > > accumulo-1.9.0-bin.tar.gz > accumulo-1.9.0-bin.tar.gz.asc > accumulo-1.9.0-bin.tar.gz.sha512 > accumulo-1.9.0-src.tar.gz > accumulo-1.9.0-src.tar.gz.asc > accumulo-1.9.0-src.tar.gz.sha512 > > This will require the release manager to copy the tarballs and asc files > from the maven repo to SVN dev directory and create the sha512 files for > each candidate, correct? > > If this is going to be a new requirement for releases, it should be > documented with step by step instructions at https://accumulo.apache.org/ > contributor/making-release > > On Sun, Apr 15, 2018 at 10:12 AM, Sean Busbey <bus...@apache.org> wrote: > > > sorry, that should have been "staged maven repository should stick to MUST > > guidance" > > > > > > > > On 2018/04/15 14:11:43, Sean Busbey <bus...@apache.org> wrote: > > > -1 on the RC vote > > > > > > I agree that in the staged maven repository we should stick to SHOULD > > guidance until such time that the maven tooling has a supported option to > > use correct checksums. (Have we verified that the relevant tooling at a > > minimum has a request in to add it?) > > > > > > However, I can't verify that the source artifact or any other artifacts > > that we'll eventually place in dist.a.o/release has correct checksums that > > meet the current release distribution policy simply because we don't have > > the relevant bits posted here in the RC. > > > > > > Why don't we go back to providing both a staged maven repo and an RC > > directory in the ASF dev part of dist.a.o[4]? Plenty of other projects use > > that area to stage RCs that have correct checksums. > > > > > > [4]: https://dist.apache.org/repos/dist/dev/accumulo/ > > > > > > On 2018/04/15 05:35:39, Christopher <ctubb...@apache.org> wrote: > > > > Mike, > > > > > > > > We use stronger checksums (SHA512) in the SVN[1] area and downloads > > page[2] > > > > after a vote passes. In fact, we're one of the only "perfect projects" > > in > > > > regards to compliance with this policy[3]. > > > > > > > > The Maven staging area doesn't follow all the "SHOULD" statements, but > > > > that's only because these checksums are automatically generated by > > > > maven-deploy-plugin, and not under our direct control. However, it > > still > > > > follows all the "MUST" statements, so it is still in compliance with > > the > > > > cited policy. Unless we're willing to circumvent standard Maven > > tooling and > > > > risk breaking things which depend on the conventions established by > > this > > > > tooling (which, to be clear, I think would be a really terribly bad > > idea), > > > > we simply cannot follow all the "SHOULD" statements for the Maven > > staging > > > > area. > > > > > > > > [1]: https://www.apache.org/dist/accumulo/ > > > > [2]: https://accumulo.apache.org/downloads/ > > > > [3]: https://checker.apache.org/dist/unsummed.html > > > > > > > > On Sat, Apr 14, 2018 at 11:13 PM Mike Drob <md...@mdrob.com> wrote: > > > > > > > > > -0 > > > > > > > > > > please do not publish md5 sums > > > > > please add missing sha256 sums > > > > > > > > > > apache release policy: > > > > > http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > > > > > > > On Sat, Apr 14, 2018 at 11:37 AM, Mike Walch <mwa...@apache.org> > > wrote: > > > > > > > > > > > +1 > > > > > > > > > > > > * Verified sha1 & md5 hashes matched > > > > > > * Verified signatures > > > > > > * Ran binary tarball locally using Uno > > > > > > * Ran 'mvn verify' successfully for wikisearch using RC jars > > > > > > > > > > > > On Thu, Apr 12, 2018 at 6:21 PM, Christopher <ctubb...@apache.org> > > > > > wrote: > > > > > > > > > > > > > Accumulo Developers, > > > > > > > > > > > > > > Please consider the following candidate for Apache Accumulo > > 1.9.0. > > > > > > > > > > > > > > Git Commit: > > > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > > > Branch: > > > > > > > 1.9.0-rc1 > > > > > > > > > > > > > > If this vote passes, a gpg-signed tag will be created using: > > > > > > > git tag -f -m 'Apache Accumulo 1.9.0' -s rel/1.9.0 \ > > > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > > > > > > > > > > Staging repo: > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapache > > accumulo-1070 > > > > > > > Source (official release artifact): > > > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1. > > 9.0-src.tar.gz > > > > > > > Binary: > > > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1. > > 9.0-bin.tar.gz > > > > > > > (Append ".sha1", ".md5", or ".asc" to download the > > signature/hash for a > > > > > > > given artifact.) > > > > > > > > > > > > > > All artifacts were built and staged with: > > > > > > > mvn release:prepare && mvn release:perform > > > > > > > > > > > > > > Signing keys are available at > > > > > https://www.apache.org/dist/accumulo/KEYS > > > > > > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > > > > > > > > > > > > > Release notes (in progress) can be found at: > > > > > > > https://accumulo.apache.org/release/accumulo-1.9.0/ > > > > > > > > > > > > > > Please vote one of: > > > > > > > [ ] +1 - I have verified and accept... > > > > > > > [ ] +0 - I have reservations, but not strong enough to vote > > against... > > > > > > > [ ] -1 - Because..., I do not accept... > > > > > > > ... these artifacts as the 1.9.0 release of Apache Accumulo. > > > > > > > > > > > > > > This vote will remain open until at least Sun Apr 15 22:30:00 > > UTC 2018 > > > > > > > (Sun Apr 15 18:30:00 EDT 2018 / Sun Apr 15 15:30:00 PDT 2018). > > > > > > > Voting continues until the release manager sends an email > > closing the > > > > > > vote. > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > P.S. Hint: download the whole staging repo with > > > > > > > wget -erobots=off -r -l inf -np -nH \ > > > > > > > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapache > > accumulo-1070/ > > > > > > > # note the trailing slash is needed > > > > > > > > > > > > > > > > > > > > > > > > > > > >