+1 verified signatures and hashes. Thank you Luke.
On Thu, Jun 20, 2019 at 12:27 PM Lukasz Cwik <lc...@google.com> wrote: > We should verify the signatures of the artifacts. > > Otherwise, there is little risk in releasing these artifacts because no > one consumes them yet. PR/8899[1] updates Apache Beam to start using them > and will go through the regular precommit/postcommit tests. > > If you want to perform additional validation you can: > * clone the PR and run any tests that you may want after fetching the > artifacts and placing them in your local maven repo > * download the artifacts and manually validate the classes only appear in > the org.apache.beam.vendor namespace with the appropriate package prefix. > Note that there is a unit test that does this as part of the publishing > process[2]. > > This thread[3] is an example of previous release of vendored artifacts. > > 1: https://github.com/apache/beam/pull/8899 > 2: > https://github.com/apache/beam/blob/c775eda2df6457a784a1945d16cf781abb453d5f/buildSrc/src/main/groovy/org/apache/beam/gradle/VendorJavaPlugin.groovy#L127 > 3: > https://lists.apache.org/thread.html/9efb2aeab102e41367bf6b1f274d3ee5990024afd934392a339c4d00@%3Cdev.beam.apache.org%3E > > On Thu, Jun 20, 2019 at 11:20 AM Ahmet Altay <al...@google.com> wrote: > >> What is the best way to validate this? >> >> On Thu, Jun 20, 2019 at 9:51 AM Lukasz Cwik <lc...@google.com> wrote: >> >>> Hi everyone, >>> >>> Please review the release of the following artifacts that we vendor: >>> beam-vendor-guava-26_0-jre >>> beam-vendor-grpc-1_21_0 >>> >>> Please vote as follows: >>> [ ] +1, Approve the release >>> [ ] -1, Do not approve the release (please provide specific comments) >>> >>> The complete staging area is available for your review, which includes: >>> * all artifacts to be deployed to the Maven Central Repository [1], >>> * commit hash "996b4c3733545aaa3b93fd35296a391126026a1c" [2], >>> * which is signed with the key with fingerprint >>> EAD5DE293F4A03DD2E77565589E68A56E371CCA2 [3], >>> >>> The vote will be open for at least 72 hours. It is adopted by majority >>> approval, with at least 3 PMC affirmative votes. >>> >>> Note I have no intention to get this into the current 2.14 release that >>> is being worked on and will have the version update go out with the next >>> release. >>> >>> Thanks, >>> Luke >>> >>> [1] >>> https://repository.apache.org/content/repositories/orgapachebeam-1074/ >>> [2] https://github.com/apache/beam/pull/8899 >>> [3] https://dist.apache.org/repos/dist/release/beam/KEYS >>> >>>
