You will need a PGP key, if you don't have one already: https://www.apache.org/dev/release-signing
I would create an "out" folder in a flex-asjs working copy, and unzip the binary package in there, then add the missing file. Then I would run: ant binary-package-tgz binary-package-zip That should create a tar.gz and .zip file in the out folder. I would copy the source packages into the out folder". Then: ant create-md5 Then finally: ant sign In theory, the -src.* files will be untouched and you will have new -bin.* files. 6 of them to be exact. These files go up on dist.apache.org via SVN (not Git). The URL is: https://dist.apache.org/repos/dist/release/flex/flexjs I can probably do it, but I'm hoping you will just so we have another PMC member set up with the pieces to do releases. Thanks, -Alex On 9/8/16, 5:48 PM, "Josh Tynjala" <[email protected]> wrote: >I can probably do that tomorrow. Can you point me to instructions? I don't >know where to upload the updated binaries or what the Apache process is to >do the signing. Is there an easy way to generate an md5 for a file on Mac? > >- Josh > >On Thu, Sep 8, 2016 at 5:24 PM, Alex Harui <[email protected]> wrote: > >> >> >> On 9/8/16, 4:12 PM, "Josh Tynjala" <[email protected]> wrote: >> >> >To avoid this issue in the future, whichever ant target is used to >>create >> >a >> >binary release should probably clean everything first. Another >>potential >> >issue is that someone might modify their downloaded files to test >> >something >> >locally and forget to revert them. In other words, local modifications >> >could end up in a binary release without any kind of warning. If the >>full >> >binary release build forced a clean and re-downloaded dependencies, >>that >> >would handle both issues. >> >> For me, the GCL files are outside the ant folders so a clean wouldn't >> help. It is an interesting Apache-ism that they recommend building >> artifacts locally. It would be way more safe IMO to just ship something >> from the CI server. But that's also a reason that only the source >> artifact is an official release. The binary artifacts are harder to >> verify and thus aren't official releases, just a convenience. >> >> > >> >Can we update the binary release of 0.7.0? Or do we need to do a >>0.7.1? As >> >far as I can tell, the source bits are fine because the downloads are >>part >> >of building from source. >> >> In this case, I think you can add that one file to the binary package, >> update the md5 files and sign it and push it back up there. >> >> -Alex >> >>
