What we need to vote on are the (reproducible) release artifacts:
the source and binary distributions with asc and md5 sig/checksums;
and the maven artifacts that will go into the mirrored maven
repository.
Sadly, our process does not seem to support generating such an artifact.
I do not understand what you mean by "reproducible"; this was all
generated in exactly the same manner as prior (approved) OpenJPA
releases, with the exception that we're now generating md5 and asc
files for more of the artifacts.
I see lots of m2-repository contents that would seem to conform to
what maven expects, but I'm no maven expert:
http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
Does this help?
-Patrick
On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
Hi Patrick,
On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
Hi,
Nice job, but need a bit more to review.
Thanks! I'm assuming that you mean that you can't vote +1 now, but
that you'll have time between now and Monday evening, right?
Right.
There's a requirement that all artifacts have an md5 checksum in
addition to the asc signature.
Those should all be generated. In fact, it looks like we even have
md5 checksums of the signatures!
In the link you sent out
A candidate build for OpenJPA 1.1.0 is available at:
http://openjpa.apache.org/builds/1.1.0/downloads/
there are only the source and binary distribution files with asc
sigs, no md5 and no maven artifacts.
Since we plan to put the jar files into the global maven repo, the
artifacts should be on the download site for review. The jar files
also need md5 and asc signatures.
Everything can be found at people.apache.org/www/openjpa.apache.org/
builds/1.1.0.
Everything including the kitchen sink. But there are many files and
plain junk in that location that it's impossible for me to review.
Also, I think it's worth noting that there are definite
improvements that we could make in our staging / delivery process.
I'd appreciate it if we didn't hold 1.1.0 hostage for those
changes. My understanding from Wendy's comments about the last
release process was that we needed more signatures; I believe that
the new release is sufficiently-signed. If there are other
improvements that we could make, I'm all for making them, but would
rather see non-showstopping issues get logged and addressed in
1.1.1 etc.
The problem is that with all the stuff in the builds/1.1.0 directory
it's not possible to make sense of it. Browsing the builds/1.1.0,
there are several things that look like maven artifacts but they're
in the wrong place, e.g. openjpa-jdbc/m2-repository/org/apache/
openjpa/openjpa-jdbc/1.1.0 which has an extra 1.1.0 directory and
has extra files e.g. -rw-rw-r-- 1 pcl openjpa 32 May 14
22:36 openjpa-jdbc-1.1.0.jar.asc.md5 (generally it's not required to
checksum a signature;-).
So there's a non-trivial step between the artifacts that you've
pointed to and the actual release that we propose to mirror to the
world. And there's no PMC oversight possible for that non-trivial
step.
What we need to vote on are the (reproducible) release artifacts:
the source and binary distributions with asc and md5 sig/checksums;
and the maven artifacts that will go into the mirrored maven
repository.
Craig
-Patrick
On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
Hi Patrick,
Nice job, but need a bit more to review.
There's a requirement that all artifacts have an md5 checksum in
addition to the asc signature.
Since we plan to put the jar files into the global maven repo, the
artifacts should be on the download site for review. The jar files
also need md5 and asc signatures.
Craig
On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
OpenJPA Developers-
A candidate build for OpenJPA 1.1.0 is available at:
http://openjpa.apache.org/builds/1.1.0/downloads/
Please review these artifacts and signatures, and vote whether we
should release them as Apache OpenJPA version 1.1.0. Release notes
for this release are included in the artifact, or can be browsed
at:
http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
The Apache Release Audit Tool has been run on the release, and no
missing licenses were found with the exceptions listed in the
exclusion section of the "rat-maven-plugin" configuration in
http://
svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml .
In accordance with http://www.apache.org/foundation/
voting.html#ReleaseVotes , three +1 votes will be sufficient to
approve the release for publication. While it is not possible to
veto
a release, the vote will remain open for the standard 3 day period
(ending at 11:30pm Pacific on Monday 5/19) in order to allow
people to
thoroughly review the release and perform whatever additional
testing
they desire and raise any concerns or objections.
A vote of "+1" means you approve of the release for publication,
"-1"
means you do not approve, and a "+0" or "-0" means you are neutral.
Thanks in advance for your diligence in helping to ensure that the
quality of the OpenJPA 1.1.0 release reflects the high quality of
all
of its contributors!
-Patrick
--
Patrick Linskey
202 669 5907
Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!
--
Patrick Linskey
202 669 5907
Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!
--
Patrick Linskey
202 669 5907
