Saturday, March 31, 2018, 8:13:16 PM, Jacques Le Roux wrote:

> Le 31/03/2018 à 19:42, Daniel Dekany a écrit :
>> Saturday, March 31, 2018, 5:44:07 PM, Jacques Le Roux wrote:
>>
>>> +1 (binding)
>>>
>>> Sha1 and MD5 on freemarker-2.3.28.jar OK.
>>>
>>> I think we should drop sha1 with md5 and provide sha256 at least.
>>>
>>> For now it's OK with sha1 as Jacopo's link at [1] says.
>> But we don't provide an sha1. It's an sha512.
> At
> https://repository.apache.org/content/repositories/staging/org/freemarker/freemarker/2.3.28/
> I see only .sha1 suffixes
> To check sha in
> https://repository.apache.org/content/repositories/staging/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.jar.sha1
>  with value
> 7200064467a935052f99d114c2c05c3d189bc6d6
> I used this Windows tool:
> https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility
> It reports
>      MD5 Checksum: C5E35D814518DA7B0247D42311B8E296
>      SHA-1 Checksum: 7200064467A935052F99D114C2C05C3D189BC6D6
>      SHA-256 Checksum:
> DE92D103D3A86C2287307218FF50DC1C941DE283F7B9E1FB23E93FC7220838BF
>      SHA-512 Checksum:
> 44435CB2B6BA02ABACDC4A21BEA44A2DC50FAA1B486FC5B2F79097A68F1F98CA24AA835448AC5DEC33A1869EED1B8A32AC285E95FDABBDAFAA810D575951894E
> What could be wrong?

We are talking about two different things. The material linked by
Jacopo talks about the checksums used on dist.apache.org (like
https://dist.apache.org/repos/dist/dev/freemarker/engine/2.3.28/source/),
not about the Maven repositories.

Also, as far as I see, everybody only has md5 and sha1 in the Maven
repositories. It's generated by Maven itself. I guess that isn't
supposed to protect against fraud...

>>
>>> OFBiz trunk HEAD with freemarker-2.3.28 works well (for myself to
>>> remember: putting  pom+jar in my local maven repo and adding
>>>            maven {
>>>                   url
>>> "https://repository.apache.org/content/repositories/staging/org/freemarker";
>>>               }
>>> in the main OFBiz build.gradle repositories
>> You don't need to add the staged artifact(s) to your local repository
>> manually, because you have added the ASF staging repo to the repos.
>> Except, your repo URL was wrong, so it did nothing. It should be:
>> "https://repository.apache.org/content/repositories/staging/";
>
> When I do so I get
> C:\projectsASF\ofbiz>gradlew clean ofbiz
> FAILURE: Build failed with an exception.
>
> * Where:
> Build file 'C:\projectsASF\ofbiz\build.gradle' line: 1031
>
> * What went wrong:
> A problem occurred evaluating root project 'ofbiz'.
 >> Could not resolve all dependencies for configuration ':runtime'.
>     > Could not find org.freemarker:freemarker:2.3.28.
>       Searched in the following locations:
> https://jcenter.bintray.com/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.pom
> https://jcenter.bintray.com/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.jar
> file:/C:/Users/Jacques/.m2/repository/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.pom
> file:/C:/Users/Jacques/.m2/repository/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.jar
>       Required by:
>           project :
>     > Could not find org.freemarker:freemarker:2.3.28.
>       Searched in the following locations:
> https://jcenter.bintray.com/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.pom
> https://jcenter.bintray.com/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.jar
> file:/C:/Users/Jacques/.m2/repository/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.pom
> file:/C:/Users/Jacques/.m2/repository/org/freemarker/freemarker/2.3.28/freemarker-2.3.28.jar
>       Required by:
>           project : > com.googlecode.ez-vcard:ez-vcard:0.9.10
>
> * Try:
> Run with --stacktrace option to get the stack trace. Run with
> --info or --debug option to get more log output.

Seems that it did not tried to use a ASF snapshot repo at all. I don't
know why, but ideally it should be tested with that.

> BUILD FAILED
>
> Total time: 3.623 secs
>
> Could be an OFBiz issue rather...
>
> Jacques
>
>
>>
>>> Jacques
>>>
>>>
>>> Le 31/03/2018 à 10:48, Jacopo Cappellato a écrit :
>>>> +1 (binding)
>>>>
>>>> ***verifications performed on apache-freemarker-2.3.28-src.tar.gz:
>>>> verified successfully sha512
>>>> verified successfully md5 (however with the new policy updates this
>>>> checksum can be removed in future releases, see [1])
>>>> verified successfully the signature
>>>> build successful
>>>> all unit tests successful
>>>>
>>>> ***verifications performed on apache-freemarker-gae-2.3.28-src.tar.gz:
>>>> verified successfully sha512
>>>> verified successfully md5 (however with the new policy updates this
>>>> checksum can be removed in future releases, see [1])
>>>> verified successfully the signature
>>>> build successful
>>>> all unit tests successful
>>>>
>>>> ***verifications performed on Maven artifact (freemarker-2.3.28.jar):
>>>> tested successfully with Apache OFBiz trunk
>>>>
>>>> Kind regards,
>>>>
>>>> Jacopo Cappellato
>>>>
>>>> [1] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>>>
>>>> On Sat, Mar 31, 2018 at 12:31 AM, Daniel Dekany <ddek...@apache.org> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Please vote on releasing FreeMarker 2.3.28! Note that as this is not
>>>>> an incubating release anymore, if this vote passes, then the product
>>>>> will be immediately released (there's no IPMC to review it in a second
>>>>> round), so check the release carefully! Also please watch out for any
>>>>> mistakes I make because of differences to releasing from outside the
>>>>> Incubator for the first time. Thanks!
>>>>>
>>>>> Note that because there weren't many deep changes since the last
>>>>> release, we have no Release Candidate this time. Thus, it's important
>>>>> that you don't skip testing this release with your dependant projects.
>>>>>
>>>>> Release Notes:
>>>>> https://freemarker.apache.org/builds/2.3.28-voting/
>>>>> documentation/versions_2_3_28.html
>>>>>
>>>>> Before proceed, you should know that FreeMarker 2.3.x, for a long
>>>>> time, always releases a normal and a "gae" variant on the same time,
>>>>> which are technically two independent source trees (Git branches). The
>>>>> "gae" variant contains a few small modification in the Java source
>>>>> code to be Google App Engine compliant, and has freemarker-gae as the
>>>>> Maven artifact name. Otherwise the normal and the "gae" branches are
>>>>> identical. Hence they will be voted on together.
>>>>>
>>>>> The commits to be voted upon are:
>>>>> - Normal (non-gae) variant:
>>>>>     https://git-wip-us.apache.org/repos/asf?p=freemarker.git;a=commit;h=
>>>>> 8ee391d10e0256d57a326d83dd487639ccd9659c
>>>>>     Commit hash: 8ee391d10e0256d57a326d83dd487639ccd9659c
>>>>> - "gae" variant:
>>>>>     https://git-wip-us.apache.org/repos/asf?p=freemarker.git;a=commit;h=
>>>>> 8c8fb4c02d63141bd2cee9630cc27a9340d0f94c
>>>>>     Commit hash: 8c8fb4c02d63141bd2cee9630cc27a9340d0f94c
>>>>>
>>>>> The artifacts to be voted upon are located here:
>>>>> https://dist.apache.org/repos/dist/dev/freemarker/engine/2.3.28/source/
>>>>> where the source release artifacts are:
>>>>> - Normal (non-gae) variant:
>>>>>     apache-freemarker-2.3.28-src.tar.gz
>>>>> - "gae" variant:
>>>>>     apache-freemarker-gae-2.3.28-src.tar.gz
>>>>>
>>>>> See the README.md inside them for build instructions!
>>>>>
>>>>> The release artifacts are signed with the following key:
>>>>> https://people.apache.org/keys/committer/ddekany.asc
>>>>>
>>>>> For convenience, we also provide binaries, which also need to be checked:
>>>>> https://dist.apache.org/repos/dist/dev/freemarker/engine/2.3.28/binaries/
>>>>> and Maven artifacts in the ASF staging repository:
>>>>> https://repository.apache.org/content/repositories/staging/
>>>>> org/freemarker/freemarker/2.3.28/
>>>>>
>>>>> Please try out the package and vote!
>>>>>
>>>>> The vote is open for a minimum of 72 hours or until the necessary number 
>>>>> of
>>>>> votes (3 binding +1s) is reached.
>>>>>
>>>>> [ ] +1 Release this package as Apache FreeMarker 2.3.28
>>>>> [ ]  0 I don't feel strongly about it, but I'm okay with the release
>>>>> [ ] -1 Do not release this package because...
>>>>>
>>>>> Please add "(binding)" if your vote is binding.
>>>>>
>>>>> --
>>>>> Thanks,
>>>>>    Daniel Dekany
>>>>>
>>>>>
>>>
>
>

-- 
Thanks,
 Daniel Dekany

Reply via email to