To follow up the thread on releasing parent 42 and exactly what needs to signed, etc. I’ve researched asf release policy. Here’s the gist:
1. Every ASF release must contain a source package, which must be sufficient for a user to build and test the release provided they have access to the appropriate platform and tools. <http://www.apache.org/dev/release#what-must-every-release-contain> 2. A release isn't 'released' until the contents are in the project's distribution directory, which is a subdirectory of www.apache.org/dist/ <http://www.apache.org/dev/release#where-do-releases-go>. 3. Every artifact distributed to the public through Apache channels MUST be accompanied by one file containing an OpenPGP compatible ASCII armored detached signature and another file containing an MD5 checksum. <https://www.apache.org/dev/release-distribution.html#sigs-and-sums> What do we consider the source package for our releases? Are the xxx-sources.jar, xxx-test-sources.jar, and pom sufficient to build and test the release? Is the zip/gz just a convenience and is it still useful/required? Or is it the reverse, the zip/gz is the release and the jars are the convenience distributions? regards, chas
