Absolutely, sebb! This is what I've been saying all along. If I had more time I'd vote -1 to every attempted release that used or intended to use respun tags/artifacts without revisions and checksums. So here's one for this one until rectified properly -1!
On Tue, Jun 25, 2013 at 12:28 PM, sebb <seb...@gmail.com> wrote: > On 25 June 2013 07:46, Ralph Goers <ralph.go...@dslextreme.com> wrote: > > KEYS file - http://svn.apache.org/repos/asf/maven/project/KEYS > > Thanks, the key id used for signing is in the file. > Also the id is available from key servers. > > > svn tag - > http://svn.apache.org/repos/asf/maven/plugins/tags/maven-javadoc-plugin-2.9.1 > > Thanks, but that is insufficient as the tag has been recreated several > times. > I think the last one was r1496317 > > If there is ever a question about how a certain file got into a > release, it's vital to have traceability. > > The source archive agrees with the SVN tag, apart from some expected > differences - e.g. DEPENDENCIES is only in the source archive > > > +1 on the release however it is odd that the Release Notes page is empty. > > Please fix that on the actual site deploy. > > > Ralph > > > > On Jun 24, 2013, at 7:15 PM, sebb wrote: > > > >> On 25 June 2013 02:48, Olivier Lamy <ol...@apache.org> wrote: > >>> Hi, > >>> I'd like to release Apache Maven Javadoc Plugin 2.9.1. > >>> > >>> This version contains the code to fix the javadoc security issue after > >>> the javadoc generation. > >>> > >>> Since previous try I fix the @since for applying the javadoc security > fix. > >>> > >>> We fixed 6 issues: > >>> > https://jira.codehaus.org/secure/ReleaseNote.jspa?version=18843&styleName=Text&projectId=11138&Create=Create > >>> > >>> Staging repository: > >>> https://repository.apache.org/content/repositories/maven-066/ > >> > >> The NOTICE file still has a spurious blank line at the start; it > >> should be removed before the next release candidate. > >> > >>> Staging site: > http://maven.apache.org/plugins-archives/maven-javadoc-plugin-2.9.1/ > >> > >> The release notes page is empty, as before. > >> Given that this release has a vital change in it, that is very > unfortunate. > >> > >> SVN tag and revision? > >> Without them, how can reviewers determine the provenance of the source > >> files in the source release? > >> > >> KEYS file? > >> How can we check the sigs? > >> > >>> Vote open for 72H > >>> > >>> [+1] > >>> [0] > >>> [-1] > >>> > >>> Thanks, > >>> -- > >>> Olivier Lamy > >>> Ecetera: http://ecetera.com.au > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >>> For additional commands, e-mail: dev-h...@maven.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >> For additional commands, e-mail: dev-h...@maven.apache.org > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >