Hi Pierre, see my comments inline:
On Wed, Mar 4, 2020 at 4:12 PM Pierre Smits <pierresm...@apache.org> wrote: > Hi all, > > Recently the releases became available via the official repositories on > Github: > > - https://github.com/apache/ofbiz-framework/releases > - https://github.com/apache/ofbiz-plugins/releases these are Git tags that have been created to "tag the release" similarly to what we used to do with svn; however they are not "releases": in fact these are two files while we have just one official release file (that combines the two). I tried to verify these with the function available in the ofbiz-tools rep, > like: > > ../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh > ofbiz-framework-release17.12.01.zip > > That script verifies the signature and checksum but in order to work you actually have to download the checksum and signature files (that you can find in the public official release distribution folder [*]); the errors you are getting just tell you that the files are not available in your folder. However, the "release" files that you can download from GitHub are NOT the actual release files; they are simply generated by GitHub from the tags; for this reasons they will not match the signature and checksum. If this is going to cause some confusion, we can check what other ASF projects are doing in this area; one easy (possibly temporary) solution could be that of removing the tags so that they do not appear as downloadable releases in GitHub. Any ideas or suggestions? Jacopo [*] https://downloads.apache.org/ofbiz/ > > With following result: > > skipping sha check! (sha checksum file > ofbiz-framework-release17.12.01.zip.sha512 not found)skipping > signature check! (signature file > ofbiz-framework-release17.12.01.zip.asc not found) > > This is not a good sign reputation wise. With the availability of releases > on Github, and our new contribution methodology through Git and Github more > people will become aware and download it from there. We must ensure that > these files can be verified regarding authenticity. > > Met vriendelijke groet, > > Pierre Smits > *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since > 2008 (without privileges) > > *Apache Trafodion <https://trafodion.apache.org>, Vice President* > *Apache Directory <https://directory.apache.org>, PMC Member* > Apache Incubator <https://incubator.apache.org>, committer > Apache Steve <https://steve.apache.org>, committer >