We should verify the signatures of the artifacts. Otherwise, there is little risk in releasing these artifacts because no one consumes them yet. PR/8899[1] updates Apache Beam to start using them and will go through the regular precommit/postcommit tests.
If you want to perform additional validation you can: * clone the PR and run any tests that you may want after fetching the artifacts and placing them in your local maven repo * download the artifacts and manually validate the classes only appear in the org.apache.beam.vendor namespace with the appropriate package prefix. Note that there is a unit test that does this as part of the publishing process[2]. This thread[3] is an example of previous release of vendored artifacts. 1: https://github.com/apache/beam/pull/8899 2: https://github.com/apache/beam/blob/c775eda2df6457a784a1945d16cf781abb453d5f/buildSrc/src/main/groovy/org/apache/beam/gradle/VendorJavaPlugin.groovy#L127 3: https://lists.apache.org/thread.html/9efb2aeab102e41367bf6b1f274d3ee5990024afd934392a339c4d00@%3Cdev.beam.apache.org%3E On Thu, Jun 20, 2019 at 11:20 AM Ahmet Altay <al...@google.com> wrote: > What is the best way to validate this? > > On Thu, Jun 20, 2019 at 9:51 AM Lukasz Cwik <lc...@google.com> wrote: > >> Hi everyone, >> >> Please review the release of the following artifacts that we vendor: >> beam-vendor-guava-26_0-jre >> beam-vendor-grpc-1_21_0 >> >> Please vote as follows: >> [ ] +1, Approve the release >> [ ] -1, Do not approve the release (please provide specific comments) >> >> The complete staging area is available for your review, which includes: >> * all artifacts to be deployed to the Maven Central Repository [1], >> * commit hash "996b4c3733545aaa3b93fd35296a391126026a1c" [2], >> * which is signed with the key with fingerprint >> EAD5DE293F4A03DD2E77565589E68A56E371CCA2 [3], >> >> The vote will be open for at least 72 hours. It is adopted by majority >> approval, with at least 3 PMC affirmative votes. >> >> Note I have no intention to get this into the current 2.14 release that >> is being worked on and will have the version update go out with the next >> release. >> >> Thanks, >> Luke >> >> [1] >> https://repository.apache.org/content/repositories/orgapachebeam-1074/ >> [2] https://github.com/apache/beam/pull/8899 >> [3] https://dist.apache.org/repos/dist/release/beam/KEYS >> >>
