Assuming that the slf4j-api.jar file isn't a showstopper, - signatures and checksums match - source builds - apache rat passes
+1 Below are the linux commands I used to verify the release of the cayenne-4.0.RC1 files: ============================================= wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-macosx.dmg wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-macosx.dmg.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-macosx.dmg.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-src.tar.gz wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-src.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-src.tar.gz.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-win.zip wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-win.zip.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1-win.zip.md5 wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1.tar.gz wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1.tar.gz.asc wget https://dist.apache.org/repos/dist/dev/cayenne/4.0.RC1/cayenne-4.0.RC1.tar.gz.md5 # check checksums ## made with gpg --print-md MD5 cayenne-X.X.tar.gz cat *.md5 | tr -d ' ' | awk 'BEGIN{OFS=" "; FS=":"} {tmp=$1;$1=$2;$2=tmp;print}' | md5sum -c # check signatures wget http://www.apache.org/dist/cayenne/KEYS gpg --import KEYS find . -name '*.asc' -exec gpg --verify {} \; # verify .tar.gz and -win.zip files are identical -- flawed process due to platform building differences mkdir src cd src tar xvf ../cayenne-4.0.RC1.tar.gz mv cayenne-4.0.RC1/ cayenne-4.0.RC1-tar-gz unzip ../cayenne-4.0.RC1-win.zip # should be no output # but windows and tar package are built with different java versions. ## differences in jars, pdfs, html, exe resources; whitespace diffs for js, css, package-list between tar.gz and zip(win) diff -rq cayenne-4.0.RC1* | grep -v "jar differ" | grep -v "html differ" | grep -v "package-list differ" | grep -v "script.js" | grep -v "pdf differ" | grep -v ".css differ" # should be "are identical" output except for exe diff -wsrq cayenne-4.0.RC1* | grep -v "jar differ" | grep -v "html differ" | grep -v "pdf differ" | grep -v "are identical" # unpack source tar xvzf ../cayenne-4.0.RC1-src.tar.gz # build source cd cayenne-4.0.RC1-src mvn install ## mvn apache-rat currently unused for cayenne # manually verify that there are no unknown or unapproved licensed files ./rat.sh ../../../../java/apache-rat-0.11/apache-rat-0.11.jar ##mvn apache-rat:check # To check for all errors, if more than one project is affected # mvn apache-rat:check -Drat.numUnapprovedLicenses=9999 # To see details of rat failure # mvn -e -X apache-rat:check On Sat, Apr 21, 2018 at 9:43 AM, Mike Kienenberger <[email protected]> wrote: > Checking the release. Why does slf4j-api-1.7.25.jar exist in > cayenne-4.0.RC1-tar-gz but not in cayenne-4.0.RC1-win.zip? > > # diff -rq cayenne-4.0.RC1-tar-gz/ cayenne-4.0.RC1-win/ > [...] > Only in cayenne-4.0.RC1-tar-gz/lib/third-party: slf4j-api-1.7.25.jar > [...]
