Re: [VOTE] Release Log4Net 2.0.9

Mon, 17 Aug 2020 13:32:17 -0700

I would imagine that this would have to either happen on Apache infra or be a GH action administered by someone with uber rights, though, yes, this is a good option. I don't have all the working pieces in my flows, but it would be convenient for my packages to have a similar mechanism, so if this is something the PMC would be interested in, I could play-test it against PeanutButter.* before proposing an automated solution? 

-d


On August 17, 2020 20:07:34 Dominik Psenner <dpsen...@gmail.com> wrote:


Is there an option to trust a ci machine and automate the publish with a
push of a tag after a successful vote? With this, anyone having the
possibility to push a tag can forge a release with almost no effort.
--
Sent from my phone. Typos are a kind gift to anyone who happens to find
them.

On Mon, Aug 17, 2020, 19:21 Davyd McColl <dav...@gmail.com> wrote:


Correct, nuget publish. An option, once I'm trusted, is to allow me to
publish. My nuget login is done via Microsoft credentials for
dav...@gmail.com, and is secured by 2FA, so the only real risk is how
dodgy
I am (:

If it's of interest to anyone, my profile is at
https://www.nuget.org/profiles/davydm

-d


On August 17, 2020 18:46:50 Dominik Psenner <dpsen...@gmail.com> wrote:

> I guess that would be a nuget publish.
>
> https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package
>
> The credentials to that account are stored in the private repos of
logging
> pmc. Most members of the pmc should be in the set of recipients with
their
> gpg key.
> --
> Sent from my phone. Typos are a kind gift to anyone who happens to find
> them.
>
> On Mon, Aug 17, 2020, 08:56 Davyd McColl <dav...@gmail.com> wrote:
>
>> Great!
>>
>> How do we get the nupkg to nuget.org? This is the final step that most
>> users are going to be interested in.
>>
>> Having a look at what's at the url you posted, I have ideas on how to
>> streamline future releases, so the next time I'm in that area, I'm
>> definitely implementing those ideas. I don't see changes to the Release
>> Notes area -- if I were to try to streamline that into a release, would
a
>> CHANGELOG file be useful? Or is there a better way?
>>
>> -d
>> On 2020/08/16 23:26:07, Matt Sicker <boa...@gmail.com> wrote:
>> I committed them to dist already. I don't know how long we should wait
>> for any mirroring to catch up, though on my end, I see updated
>> artifacts on https://downloads.apache.org/logging/log4net/ other than
>> the release notes.
>>
>> On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote:
>> >
>> > +1 to that!
>> >
>> > Let me know when these are published. I can update the web site to
>> reflect that it is no longer dormant.
>> >
>> > Ralph
>> >
>> > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote:
>> > >
>> > > Thanks so much for your help in releasing this!
>> > >
>> > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote:
>> > >>
>> > >> I'll make changes to the automated build to affect all changes you
>> have
>> > >> made (and perhaps will make) automatically to future releases for
the
>> next
>> > >> release. Apologies for making this more difficult than it needs to
be
>> (:
>> > >>
>> > >> -d
>> > >>
>> > >>
>> > >> On August 16, 2020 20:37:01 Matt Sicker wrote:
>> > >>
>> > >>> Just a simple copy of the LICENSE and NOTICE file into the
binaries
>> > >>> zip, and a rename of the files to include "apache" in the name.
I've
>> > >>> uploaded them to dist along with updating the KEYS file for
log4net,
>> > >>> though that should probably be merged together with the
project-wide
>> > >>> KEYS file in the parent directory. There's an outdated
README.html in
>> > >>> the directory still containing the old release notes, but we can
>> > >>> address that next.
>> > >>>
>> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote:
>> > >>>>
>> > >>>> One issue I found in one of the artifacts that I can address
before
>> > >>>> uploading since it wasn't signed is the binaries zip is missing
the
>> > >>>> LICENSE file. I'm not sure if there's a standard way to include
that
>> > >>>> in the nupkg file, but I did see that in its metadata, it
explicitly
>> > >>>> says the code is Apache2 licensed at least.
>> > >>>>
>> > >>>> On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote:
>> > >>>>>
>> > >>>>> I'll sign and publish the artifacts today.
>> > >>>>>
>> > >>>>> On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote:
>> > >>>>>>
>> > >>>>>> Thanks Remko. That makes 3 +1 votes from PMC members.
>> > >>>>>>
>> > >>>>>> Ralph
>> > >>>>>>
>> > >>>>>>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote:
>> > >>>>>>>
>> > >>>>>>> +1 Remko.
>> > >>>>>>>
>> > >>>>>>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote:
>> > >>>>>>>
>> > >>>>>>>> +1 from me. We can handle the release signing afterwards as
>> Ralph
>> > >>>> suggests.
>> > >>>>>>>>
>> > >>>>>>>> On Mon, 3 Aug 2020 at 10:30, Ralph Goers
>> > >>>>>>>> wrote:
>> > >>>>>>>>>
>> > >>>>>>>>> Can other PMC members please review this? It has been more
>> than 72
>> > >>>>>>>> hours.
>> > >>>>>>>>>
>> > >>>>>>>>> Ralph
>> > >>>>>>>>>
>> > >>>>>>>>>> On Jul 30, 2020, at 11:17 PM, Davyd McColl
>> > >>>>>>>> wrote:
>> > >>>>>>>>>>
>> > >>>>>>>>>> Hi all, I've never done this before, so bear with me if I
>> fluff it:
>> > >>>>>>>>>>
>> > >>>>>>>>>> This is a proposed vote to release log4net 2.0.9 from PR
>> > >>>>>>>> https://github.com/apache/logging-log4net/pull/61
>> > >>>>>>>>>>
>> > >>>>>>>>>> Release artifacts (including source zip) are at:
>> > >>>>>>>>
>> > >>>>
>>
https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
>> > >>>>>>>>>> Source can be checked out from
>> > >>>>>>>>
https://github.com/fluffynuts/logging-log4net/logging-log4net,
>> tag rel/
>> > >>>>>>>> 2.0.9. I can't push tags to the upstream, but this tag is
>> exactly the
>> > >>>>>>>> same commit as the last in the PR mentioned above, which was
>> > >>>> accepted into
>> > >>>>>>>> master a few days ago.
>> > >>>>>>>>>>
>> > >>>>>>>>>> Please check out the artifacts & if everyone is ok with
>> what's there,
>> > >>>>>>>> please can someone with the rights to publish to nuget do so.
>> > >>>>>>>>>>
>> > >>>>>>>>>> Once I've seen how this process works, I'd like to tackle
the
>> CVE that
>> > >>>>>>>> has been brought up on this list more than once -- it's a
>> simple change
>> > >>>>>>>> which was already committed to the develop branch some time
>> ago, so
>> > >>>> there
>> > >>>>>>>> are a couple of options here:
>> > >>>>>>>>>> 1. cherry-pick that commit & do a 2.0.10 release pronto,
with
>> only
>> > >>>>>>>> that change
>> > >>>>>>>>>> 2. trawl the develop branch to see what else was already
>> solved in
>> > >>>>>>>> there, and get that out as 2.0.10, and perhaps close out that
>> branch to
>> > >>>>>>>> avoid future confusion.
>> > >>>>>>>>>>
>> > >>>>>>>>>> Thanks for your time
>> > >>>>>>>>>> -d
>> > >>>>>>>>>
>> > >>>>>>>>>
>> > >>>>>>>>
>> > >>>>>>>>
>> > >>>>>>>> --
>> > >>>>>>>> Matt Sicker
>> > >>>>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> --
>> > >>>>> Matt Sicker
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> --
>> > >>>> Matt Sicker
>> > >>>
>> > >>>
>> > >>>
>> > >>> --
>> > >>> Matt Sicker
>> > >
>> > >
>> > >
>> > > --
>> > > Matt Sicker
>> > >
>> >
>> >
>>
>>
>> --
>> Matt Sicker
>>

Reply via email to