Re: What to do with an accidentally promoted staging repository (Was: [VOTE] Release Apache Sling SAML2 Service Provider 0.2.6)

Cris Rockwell Thu, 08 Jul 2021 11:31:15 -0700

It’s not much to tweak the script to check a promoted artifact vs a staged 
artifact. The script below does it.


$ ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ .



#!/bin/sh

#check_promoted_release.sh
STAGING=${1}
DOWNLOAD=${2:-/tmp/sling-staging}
mkdir ${DOWNLOAD} 2>/dev/null

if [ -z "${STAGING}" -o ! -d "${DOWNLOAD}" ]
then
 echo "Usage: check_promoted_release.sh <artifactID/version> [temp-directory]"
 exit
fi

if [ ! -e "${DOWNLOAD}/${STAGING}" ]
then
 echo 
"################################################################################"
 echo "                           DOWNLOAD PROMOTED REPOSITORY                  
       "
 echo 
"################################################################################"

 wget -e "robots=off" --wait 1 -nv -r -np "--reject=html,index.html.tmp,../" 
"--follow-tags=" \
  -P "${DOWNLOAD}/${STAGING}" -nH "--cut-dirs=6" \
  
"https://repository.apache.org/content/groups/public/org/apache/sling/${STAGING}";

else
 echo 
"################################################################################"
 echo "                       USING EXISTING STAGED REPOSITORY                  
       "
 echo 
"################################################################################"
 echo "${DOWNLOAD}/${STAGING}"
fi

echo 
"################################################################################"
echo "                          CHECK SIGNATURES AND DIGESTS                    
      "
echo 
"################################################################################"

for i in `find "${DOWNLOAD}/${STAGING}" -type f | grep -v 
'\.\(asc\|sha1\|md5\)$'`
do
 f=`echo $i | sed 's/\.asc$//'`
 echo "$f"
 gpg --verify $f.asc 2>/dev/null
 if [ "$?" = "0" ]; then CHKSUM="GOOD"; else CHKSUM="BAD!!!!!!!!"; fi
 if [ ! -f "$f.asc" ]; then CHKSUM="----"; fi
 echo "gpg:  ${CHKSUM}"

 for tp in md5 sha1
 do
   if [ ! -f "$f.$tp" ]
   then
     CHKSUM="----"
   else
     A="`cat $f.$tp 2>/dev/null`"
     B="`openssl $tp < $f 2>/dev/null | sed 's/.*= *//' `"
     if [ "$A" = "$B" ]; then CHKSUM="GOOD (`cat $f.$tp`)"; else CHKSUM="BAD!! 
: $A not equal to $B"; fi
   fi
   echo "$tp : ${CHKSUM}"
 done

done

if [ -z "${CHKSUM}" ]; then echo "WARNING: no files found!"; fi

echo 
"################################################################################"


################################################################################
                          CHECK SIGNATURES AND DIGESTS
################################################################################
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-source-release.zip
gpg:  GOOD
md5 : GOOD (39c1e148b0919387a5732628ba604d21)
sha1 : GOOD (cea7d34a4b78dd651b8fd26ef9464ac3bacc5f6f)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6.pom
gpg:  GOOD
md5 : GOOD (4ac6eb0eb5e4fcd0372a211a1974dc0c)
sha1 : GOOD (531a963abf49b8db1b8e2584139b793a9bc28bb2)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-javadoc.jar
gpg:  GOOD
md5 : GOOD (e848893428b5deb1246f768d8657e27c)
sha1 : GOOD (85e79ac6ae98a929a1f3aa58f93959acd33a2a2d)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-sources.jar
gpg:  GOOD
md5 : GOOD (69fea4b472d2b4ec0dcc1987087c6702)
sha1 : GOOD (9bbfd0071d81ead55fa2a5b920d74ec1934e666c)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6.jar
gpg:  GOOD
md5 : GOOD (94c54bf5b7d244f60da1837d5b0351b2)
sha1 : GOOD (00a784f65d23a18d7eed094dddedc863e235bf9d)
################################################################################
➜  release ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ .





> On Jul 8, 2021, at 10:54 AM, Robert Munteanu <romb...@apache.org> wrote:
> 
> There are two question here:
> 
> 1. Practical - what do we vote on? The staging repository is gone.
> 2. Procedural - is this the right thing to do?
> 
> For 1. I guess we could ask you to restore it, maybe stage the exact
> same artifacts again and resume the vote? Not a new vote thread, simply
> reply to the same thread with a new staging repository.
> 
> But we should not conclude the vote until we are sure of 2.
> 
> Thanks,
> Robert
> 
> On Thu, 2021-07-08 at 08:13 -0400, Cris Rockwell wrote:
>> How about pmc members actually cast your votes on this release now?
>> If there are enough+1 then it's fine. If somebody is actually trying
>> to
>> drag this out intentionally, thats not cool.
>> 
>> On Thu, Jul 8, 2021, 6:22 AM Robert Munteanu <romb...@apache.org>
>> wrote:
>> 
>>> Hi,
>>> 
>>> The staging repository in question was under vote, no votes cast (
>>> I
>>> was preparing my +1 ) and was accidentally promoted.
>>> 
>>> That means that the artifacts are on Maven Central without a formal
>>> vote from the PMC.
>>> 
>>> What options do we have from here? Does anyone know of a similar
>>> situation? If not, we can wait for an answer on the infra issue
>>> [1].
>>> 
>>> Thanks,
>>> Robert
>>> 
>>> [1]: https://issues.apache.org/jira/browse/INFRA-22090
>>> 
>>> On Thu, 2021-07-08 at 12:16 +0200, Nicolas Peltier wrote:
>>>> Ok, looks like it's over now to move it back, so either we
>>>> retroactively
>>>> vote for that artifact, either we redo a release :(
>>>> sorry for that mess :(
>>>> 
>>>> Le jeu. 8 juil. 2021 à 11:50, Nicolas Peltier
>>>> <npelt...@apache.org> a
>>>> écrit :
>>>> 
>>>>> sorry Chris i mistakenly released the staging repository, and
>>>>> now am
>>>>> struggling to undo this, it's very likely we have to delete it
>>>>> all
>>>>> together
>>>>> :(
>>>>> https://issues.apache.org/jira/browse/INFRA-22090
>>>>> 
>>>>> Le ven. 2 juil. 2021 à 17:41, Cris Rockwell
>>>>> <cmroc...@umich.edu> a
>>>>> écrit :
>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> We solved 3 Jira issues in this initial release:
>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210
>>>>>>  <
>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210
>>>>>>> 
>>>>>> 
>>>>>> Staging repository:
>>>>>> 
>>> https://repository.apache.org/content/repositories/orgapachesling-2490/
>>>>>> 
>>>>>> You can use this UNIX script to download the release and
>>>>>> verify the
>>>>>> signatures:
>>>>>> 
>>>>>> 
>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>>>>>> <
>>>>>> 
>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>>>>>>> 
>>>>>> 
>>>>>> Usage:
>>>>>> sh check_staged_release.sh 2490 /tmp/sling-staging
>>>>>> 
>>>>>> Please vote to approve this release:
>>>>>> 
>>>>>>  [ ] +1 Approve the release
>>>>>>  [ ]  0 Don't care
>>>>>>  [ ] -1 Don't release, because ...
>>>>>> 
>>>>>> This majority vote is open for at least 72 hours.
>>>>>> 
>>>>>> Regards,
>>>>>> Cris
>>>>> 
>>>>> 
>>> 
>>> 
>>> 
> 
>

Re: What to do with an accidentally promoted staging repository (Was: [VOTE] Release Apache Sling SAML2 Service Provider 0.2.6)

Reply via email to