I've been reading the ASF release policy at https://www.apache.org/legal/release-policy.html
, and this snippet drew my attention: > A release isn't 'released' until the contents are in the project's distribution directory, which is a subdirectory of downloads.apache.org. In addition to the distribution directory, project that use Maven or a related build tool sometimes place their releases on repository.apache.org beside some convenience binaries. The distribution directory is required, while the repository system is an optional convenience. which leads me to believe that we did not actually 'release' the bundle, but are right now in an inconsistent state, with a convenience channel being used before the actual vote being released. My suggestion would be to continue the voting process in a manual way and reach out to infra/ASF board ( as per [2] ) only if the release vote fails. For that, I would ask you (Cris) to re-upload the same artifacts to https://dist.apache.org/repos/dist/dev/sling/ ( svn co https://dist.apache.org/repos/dist/dev/sling/ ) and we will resume voting based on those. We may need to patch the scripts or run the checks manually, but it's a one-time occurence and should not be such a big deal. I prefer uploading to dist/dev and validating the artifacts from there since it's more in line with the ASF release policy and minimises the risk of this release being called out as out of policy. Would that work for you? Thanks, Robert [2]: https://www.apache.org/legal/release-policy.html#administration On Thu, 2021-07-08 at 14:30 -0400, Cris Rockwell wrote: > It’s not much to tweak the script to check a promoted artifact vs a > staged artifact. The script below does it. > > $ ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ . > > > > #!/bin/sh > > #check_promoted_release.sh > STAGING=${1} > DOWNLOAD=${2:-/tmp/sling-staging} > mkdir ${DOWNLOAD} 2>/dev/null > > if [ -z "${STAGING}" -o ! -d "${DOWNLOAD}" ] > then > echo "Usage: check_promoted_release.sh <artifactID/version> [temp- > directory]" > exit > fi > > if [ ! -e "${DOWNLOAD}/${STAGING}" ] > then > echo > "###################################################################### > ##########" > echo " DOWNLOAD PROMOTED > REPOSITORY " > echo > "###################################################################### > ##########" > > wget -e "robots=off" --wait 1 -nv -r -np "-- > reject=html,index.html.tmp,../" "--follow-tags=" \ > -P "${DOWNLOAD}/${STAGING}" -nH "--cut-dirs=6" \ > > "https://repository.apache.org/content/groups/public/org/apache/sling/${STAGING} > " > > else > echo > "###################################################################### > ##########" > echo " USING EXISTING STAGED > REPOSITORY " > echo > "###################################################################### > ##########" > echo "${DOWNLOAD}/${STAGING}" > fi > > echo > "###################################################################### > ##########" > echo " CHECK SIGNATURES AND > DIGESTS " > echo > "###################################################################### > ##########" > > for i in `find "${DOWNLOAD}/${STAGING}" -type f | grep -v > '\.\(asc\|sha1\|md5\)$'` > do > f=`echo $i | sed 's/\.asc$//'` > echo "$f" > gpg --verify $f.asc 2>/dev/null > if [ "$?" = "0" ]; then CHKSUM="GOOD"; else CHKSUM="BAD!!!!!!!!"; fi > if [ ! -f "$f.asc" ]; then CHKSUM="----"; fi > echo "gpg: ${CHKSUM}" > > for tp in md5 sha1 > do > if [ ! -f "$f.$tp" ] > then > CHKSUM="----" > else > A="`cat $f.$tp 2>/dev/null`" > B="`openssl $tp < $f 2>/dev/null | sed 's/.*= *//' `" > if [ "$A" = "$B" ]; then CHKSUM="GOOD (`cat $f.$tp`)"; else > CHKSUM="BAD!! : $A not equal to $B"; fi > fi > echo "$tp : ${CHKSUM}" > done > > done > > if [ -z "${CHKSUM}" ]; then echo "WARNING: no files found!"; fi > > echo > "###################################################################### > ##########" > > > ####################################################################### > ######### > CHECK SIGNATURES AND DIGESTS > ####################################################################### > ######### > ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ > org.apache.sling.auth.saml2-0.2.6-source-release.zip > gpg: GOOD > md5 : GOOD (39c1e148b0919387a5732628ba604d21) > sha1 : GOOD (cea7d34a4b78dd651b8fd26ef9464ac3bacc5f6f) > ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ > org.apache.sling.auth.saml2-0.2.6.pom > gpg: GOOD > md5 : GOOD (4ac6eb0eb5e4fcd0372a211a1974dc0c) > sha1 : GOOD (531a963abf49b8db1b8e2584139b793a9bc28bb2) > ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ > org.apache.sling.auth.saml2-0.2.6-javadoc.jar > gpg: GOOD > md5 : GOOD (e848893428b5deb1246f768d8657e27c) > sha1 : GOOD (85e79ac6ae98a929a1f3aa58f93959acd33a2a2d) > ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ > org.apache.sling.auth.saml2-0.2.6-sources.jar > gpg: GOOD > md5 : GOOD (69fea4b472d2b4ec0dcc1987087c6702) > sha1 : GOOD (9bbfd0071d81ead55fa2a5b920d74ec1934e666c) > ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ > org.apache.sling.auth.saml2-0.2.6.jar > gpg: GOOD > md5 : GOOD (94c54bf5b7d244f60da1837d5b0351b2) > sha1 : GOOD (00a784f65d23a18d7eed094dddedc863e235bf9d) > ####################################################################### > ######### > ➜ release ./check_promoted_release.sh > org.apache.sling.auth.saml2/0.2.6/ . > > > > > > > On Jul 8, 2021, at 10:54 AM, Robert Munteanu <romb...@apache.org> > > wrote: > > > > There are two question here: > > > > 1. Practical - what do we vote on? The staging repository is gone. > > 2. Procedural - is this the right thing to do? > > > > For 1. I guess we could ask you to restore it, maybe stage the exact > > same artifacts again and resume the vote? Not a new vote thread, > > simply > > reply to the same thread with a new staging repository. > > > > But we should not conclude the vote until we are sure of 2. > > > > Thanks, > > Robert > > > > On Thu, 2021-07-08 at 08:13 -0400, Cris Rockwell wrote: > > > How about pmc members actually cast your votes on this release now? > > > If there are enough+1 then it's fine. If somebody is actually > > > trying > > > to > > > drag this out intentionally, thats not cool. > > > > > > On Thu, Jul 8, 2021, 6:22 AM Robert Munteanu <romb...@apache.org> > > > wrote: > > > > > > > Hi, > > > > > > > > The staging repository in question was under vote, no votes cast > > > > ( > > > > I > > > > was preparing my +1 ) and was accidentally promoted. > > > > > > > > That means that the artifacts are on Maven Central without a > > > > formal > > > > vote from the PMC. > > > > > > > > What options do we have from here? Does anyone know of a similar > > > > situation? If not, we can wait for an answer on the infra issue > > > > [1]. > > > > > > > > Thanks, > > > > Robert > > > > > > > > [1]: https://issues.apache.org/jira/browse/INFRA-22090 > > > > > > > > On Thu, 2021-07-08 at 12:16 +0200, Nicolas Peltier wrote: > > > > > Ok, looks like it's over now to move it back, so either we > > > > > retroactively > > > > > vote for that artifact, either we redo a release :( > > > > > sorry for that mess :( > > > > > > > > > > Le jeu. 8 juil. 2021 à 11:50, Nicolas Peltier > > > > > <npelt...@apache.org> a > > > > > écrit : > > > > > > > > > > > sorry Chris i mistakenly released the staging repository, and > > > > > > now am > > > > > > struggling to undo this, it's very likely we have to delete > > > > > > it > > > > > > all > > > > > > together > > > > > > :( > > > > > > https://issues.apache.org/jira/browse/INFRA-22090 > > > > > > > > > > > > Le ven. 2 juil. 2021 à 17:41, Cris Rockwell > > > > > > <cmroc...@umich.edu> a > > > > > > écrit : > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > We solved 3 Jira issues in this initial release: > > > > > > > https://issues.apache.org/jira/projects/SLING/versions/12350210 > > > > > > > < > > > > > > > https://issues.apache.org/jira/projects/SLING/versions/12350210 > > > > > > > > > > > > > > > > > > > > > > Staging repository: > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachesling-2490/ > > > > > > > > > > > > > > You can use this UNIX script to download the release and > > > > > > > verify the > > > > > > > signatures: > > > > > > > > > > > > > > > > > > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD > > > > > > > < > > > > > > > > > > > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD > > > > > > > > > > > > > > > > > > > > > > Usage: > > > > > > > sh check_staged_release.sh 2490 /tmp/sling-staging > > > > > > > > > > > > > > Please vote to approve this release: > > > > > > > > > > > > > > [ ] +1 Approve the release > > > > > > > [ ] 0 Don't care > > > > > > > [ ] -1 Don't release, because ... > > > > > > > > > > > > > > This majority vote is open for at least 72 hours. > > > > > > > > > > > > > > Regards, > > > > > > > Cris > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
