It’s not much to tweak the script to check a promoted artifact vs a staged
artifact. The script below does it.
$ ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ .
#!/bin/sh
#check_promoted_release.sh
STAGING=${1}
DOWNLOAD=${2:-/tmp/sling-staging}
mkdir ${DOWNLOAD} 2>/dev/null
if [ -z "${STAGING}" -o ! -d "${DOWNLOAD}" ]
then
echo "Usage: check_promoted_release.sh <artifactID/version> [temp-directory]"
exit
fi
if [ ! -e "${DOWNLOAD}/${STAGING}" ]
then
echo
"################################################################################"
echo " DOWNLOAD PROMOTED REPOSITORY
"
echo
"################################################################################"
wget -e "robots=off" --wait 1 -nv -r -np "--reject=html,index.html.tmp,../"
"--follow-tags=" \
-P "${DOWNLOAD}/${STAGING}" -nH "--cut-dirs=6" \
"https://repository.apache.org/content/groups/public/org/apache/sling/${STAGING}";
else
echo
"################################################################################"
echo " USING EXISTING STAGED REPOSITORY
"
echo
"################################################################################"
echo "${DOWNLOAD}/${STAGING}"
fi
echo
"################################################################################"
echo " CHECK SIGNATURES AND DIGESTS
"
echo
"################################################################################"
for i in `find "${DOWNLOAD}/${STAGING}" -type f | grep -v
'\.\(asc\|sha1\|md5\)$'`
do
f=`echo $i | sed 's/\.asc$//'`
echo "$f"
gpg --verify $f.asc 2>/dev/null
if [ "$?" = "0" ]; then CHKSUM="GOOD"; else CHKSUM="BAD!!!!!!!!"; fi
if [ ! -f "$f.asc" ]; then CHKSUM="----"; fi
echo "gpg: ${CHKSUM}"
for tp in md5 sha1
do
if [ ! -f "$f.$tp" ]
then
CHKSUM="----"
else
A="`cat $f.$tp 2>/dev/null`"
B="`openssl $tp < $f 2>/dev/null | sed 's/.*= *//' `"
if [ "$A" = "$B" ]; then CHKSUM="GOOD (`cat $f.$tp`)"; else CHKSUM="BAD!!
: $A not equal to $B"; fi
fi
echo "$tp : ${CHKSUM}"
done
done
if [ -z "${CHKSUM}" ]; then echo "WARNING: no files found!"; fi
echo
"################################################################################"
################################################################################
CHECK SIGNATURES AND DIGESTS
################################################################################
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-source-release.zip
gpg: GOOD
md5 : GOOD (39c1e148b0919387a5732628ba604d21)
sha1 : GOOD (cea7d34a4b78dd651b8fd26ef9464ac3bacc5f6f)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6.pom
gpg: GOOD
md5 : GOOD (4ac6eb0eb5e4fcd0372a211a1974dc0c)
sha1 : GOOD (531a963abf49b8db1b8e2584139b793a9bc28bb2)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-javadoc.jar
gpg: GOOD
md5 : GOOD (e848893428b5deb1246f768d8657e27c)
sha1 : GOOD (85e79ac6ae98a929a1f3aa58f93959acd33a2a2d)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6-sources.jar
gpg: GOOD
md5 : GOOD (69fea4b472d2b4ec0dcc1987087c6702)
sha1 : GOOD (9bbfd0071d81ead55fa2a5b920d74ec1934e666c)
./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/org.apache.sling.auth.saml2-0.2.6.jar
gpg: GOOD
md5 : GOOD (94c54bf5b7d244f60da1837d5b0351b2)
sha1 : GOOD (00a784f65d23a18d7eed094dddedc863e235bf9d)
################################################################################
➜ release ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ .
> On Jul 8, 2021, at 10:54 AM, Robert Munteanu <[email protected]> wrote:
>
> There are two question here:
>
> 1. Practical - what do we vote on? The staging repository is gone.
> 2. Procedural - is this the right thing to do?
>
> For 1. I guess we could ask you to restore it, maybe stage the exact
> same artifacts again and resume the vote? Not a new vote thread, simply
> reply to the same thread with a new staging repository.
>
> But we should not conclude the vote until we are sure of 2.
>
> Thanks,
> Robert
>
> On Thu, 2021-07-08 at 08:13 -0400, Cris Rockwell wrote:
>> How about pmc members actually cast your votes on this release now?
>> If there are enough+1 then it's fine. If somebody is actually trying
>> to
>> drag this out intentionally, thats not cool.
>>
>> On Thu, Jul 8, 2021, 6:22 AM Robert Munteanu <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>> The staging repository in question was under vote, no votes cast (
>>> I
>>> was preparing my +1 ) and was accidentally promoted.
>>>
>>> That means that the artifacts are on Maven Central without a formal
>>> vote from the PMC.
>>>
>>> What options do we have from here? Does anyone know of a similar
>>> situation? If not, we can wait for an answer on the infra issue
>>> [1].
>>>
>>> Thanks,
>>> Robert
>>>
>>> [1]: https://issues.apache.org/jira/browse/INFRA-22090
>>>
>>> On Thu, 2021-07-08 at 12:16 +0200, Nicolas Peltier wrote:
>>>> Ok, looks like it's over now to move it back, so either we
>>>> retroactively
>>>> vote for that artifact, either we redo a release :(
>>>> sorry for that mess :(
>>>>
>>>> Le jeu. 8 juil. 2021 à 11:50, Nicolas Peltier
>>>> <[email protected]> a
>>>> écrit :
>>>>
>>>>> sorry Chris i mistakenly released the staging repository, and
>>>>> now am
>>>>> struggling to undo this, it's very likely we have to delete it
>>>>> all
>>>>> together
>>>>> :(
>>>>> https://issues.apache.org/jira/browse/INFRA-22090
>>>>>
>>>>> Le ven. 2 juil. 2021 à 17:41, Cris Rockwell
>>>>> <[email protected]> a
>>>>> écrit :
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We solved 3 Jira issues in this initial release:
>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210
>>>>>> <
>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210
>>>>>>>
>>>>>>
>>>>>> Staging repository:
>>>>>>
>>> https://repository.apache.org/content/repositories/orgapachesling-2490/
>>>>>>
>>>>>> You can use this UNIX script to download the release and
>>>>>> verify the
>>>>>> signatures:
>>>>>>
>>>>>>
>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>>>>>> <
>>>>>>
>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>>>>>>>
>>>>>>
>>>>>> Usage:
>>>>>> sh check_staged_release.sh 2490 /tmp/sling-staging
>>>>>>
>>>>>> Please vote to approve this release:
>>>>>>
>>>>>> [ ] +1 Approve the release
>>>>>> [ ] 0 Don't care
>>>>>> [ ] -1 Don't release, because ...
>>>>>>
>>>>>> This majority vote is open for at least 72 hours.
>>>>>>
>>>>>> Regards,
>>>>>> Cris
>>>>>
>>>>>
>>>
>>>
>>>
>
>
