Thanks for researching a possible solution for this. The artifacts are now uploaded https://dist.apache.org/repos/dist/dev/sling/ <https://dist.apache.org/repos/dist/dev/sling/>
> On Jul 9, 2021, at 3:22 AM, Robert Munteanu <romb...@apache.org> wrote: > > I've been reading the ASF release policy at > > https://www.apache.org/legal/release-policy.html > > , and this snippet drew my attention: > >> A release isn't 'released' until the contents are in the project's > distribution directory, which is a subdirectory of > downloads.apache.org. In addition to the distribution directory, > project that use Maven or a related build tool sometimes place their > releases on repository.apache.org beside some convenience binaries. The > distribution directory is required, while the repository system is an > optional convenience. > > which leads me to believe that we did not actually 'release' the > bundle, but are right now in an inconsistent state, with a convenience > channel being used before the actual vote being released. > > My suggestion would be to continue the voting process in a manual way > and reach out to infra/ASF board ( as per [2] ) only if the release > vote fails. > > For that, I would ask you (Cris) to re-upload the same artifacts to > > https://dist.apache.org/repos/dist/dev/sling/ > > ( svn co https://dist.apache.org/repos/dist/dev/sling/ ) > > and we will resume voting based on those. We may need to patch the > scripts or run the checks manually, but it's a one-time occurence and > should not be such a big deal. > > I prefer uploading to dist/dev and validating the artifacts from there > since it's more in line with the ASF release policy and minimises the > risk of this release being called out as out of policy. > > Would that work for you? > > Thanks, > Robert > > > [2]: https://www.apache.org/legal/release-policy.html#administration > > On Thu, 2021-07-08 at 14:30 -0400, Cris Rockwell wrote: >> It’s not much to tweak the script to check a promoted artifact vs a >> staged artifact. The script below does it. >> >> $ ./check_promoted_release.sh org.apache.sling.auth.saml2/0.2.6/ . >> >> >> >> #!/bin/sh >> >> #check_promoted_release.sh >> STAGING=${1} >> DOWNLOAD=${2:-/tmp/sling-staging} >> mkdir ${DOWNLOAD} 2>/dev/null >> >> if [ -z "${STAGING}" -o ! -d "${DOWNLOAD}" ] >> then >> echo "Usage: check_promoted_release.sh <artifactID/version> [temp- >> directory]" >> exit >> fi >> >> if [ ! -e "${DOWNLOAD}/${STAGING}" ] >> then >> echo >> "###################################################################### >> ##########" >> echo " DOWNLOAD PROMOTED >> REPOSITORY " >> echo >> "###################################################################### >> ##########" >> >> wget -e "robots=off" --wait 1 -nv -r -np "-- >> reject=html,index.html.tmp,../" "--follow-tags=" \ >> -P "${DOWNLOAD}/${STAGING}" -nH "--cut-dirs=6" \ >> >> "https://repository.apache.org/content/groups/public/org/apache/sling/${STAGING} >> " >> >> else >> echo >> "###################################################################### >> ##########" >> echo " USING EXISTING STAGED >> REPOSITORY " >> echo >> "###################################################################### >> ##########" >> echo "${DOWNLOAD}/${STAGING}" >> fi >> >> echo >> "###################################################################### >> ##########" >> echo " CHECK SIGNATURES AND >> DIGESTS " >> echo >> "###################################################################### >> ##########" >> >> for i in `find "${DOWNLOAD}/${STAGING}" -type f | grep -v >> '\.\(asc\|sha1\|md5\)$'` >> do >> f=`echo $i | sed 's/\.asc$//'` >> echo "$f" >> gpg --verify $f.asc 2>/dev/null >> if [ "$?" = "0" ]; then CHKSUM="GOOD"; else CHKSUM="BAD!!!!!!!!"; fi >> if [ ! -f "$f.asc" ]; then CHKSUM="----"; fi >> echo "gpg: ${CHKSUM}" >> >> for tp in md5 sha1 >> do >> if [ ! -f "$f.$tp" ] >> then >> CHKSUM="----" >> else >> A="`cat $f.$tp 2>/dev/null`" >> B="`openssl $tp < $f 2>/dev/null | sed 's/.*= *//' `" >> if [ "$A" = "$B" ]; then CHKSUM="GOOD (`cat $f.$tp`)"; else >> CHKSUM="BAD!! : $A not equal to $B"; fi >> fi >> echo "$tp : ${CHKSUM}" >> done >> >> done >> >> if [ -z "${CHKSUM}" ]; then echo "WARNING: no files found!"; fi >> >> echo >> "###################################################################### >> ##########" >> >> >> ####################################################################### >> ######### >> CHECK SIGNATURES AND DIGESTS >> ####################################################################### >> ######### >> ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ >> org.apache.sling.auth.saml2-0.2.6-source-release.zip >> gpg: GOOD >> md5 : GOOD (39c1e148b0919387a5732628ba604d21) >> sha1 : GOOD (cea7d34a4b78dd651b8fd26ef9464ac3bacc5f6f) >> ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ >> org.apache.sling.auth.saml2-0.2.6.pom >> gpg: GOOD >> md5 : GOOD (4ac6eb0eb5e4fcd0372a211a1974dc0c) >> sha1 : GOOD (531a963abf49b8db1b8e2584139b793a9bc28bb2) >> ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ >> org.apache.sling.auth.saml2-0.2.6-javadoc.jar >> gpg: GOOD >> md5 : GOOD (e848893428b5deb1246f768d8657e27c) >> sha1 : GOOD (85e79ac6ae98a929a1f3aa58f93959acd33a2a2d) >> ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ >> org.apache.sling.auth.saml2-0.2.6-sources.jar >> gpg: GOOD >> md5 : GOOD (69fea4b472d2b4ec0dcc1987087c6702) >> sha1 : GOOD (9bbfd0071d81ead55fa2a5b920d74ec1934e666c) >> ./org.apache.sling.auth.saml2/0.2.6//org.apache.sling.auth.saml2/0.2.6/ >> org.apache.sling.auth.saml2-0.2.6.jar >> gpg: GOOD >> md5 : GOOD (94c54bf5b7d244f60da1837d5b0351b2) >> sha1 : GOOD (00a784f65d23a18d7eed094dddedc863e235bf9d) >> ####################################################################### >> ######### >> ➜ release ./check_promoted_release.sh >> org.apache.sling.auth.saml2/0.2.6/ . >> >> >> >> >> >>> On Jul 8, 2021, at 10:54 AM, Robert Munteanu <romb...@apache.org> >>> wrote: >>> >>> There are two question here: >>> >>> 1. Practical - what do we vote on? The staging repository is gone. >>> 2. Procedural - is this the right thing to do? >>> >>> For 1. I guess we could ask you to restore it, maybe stage the exact >>> same artifacts again and resume the vote? Not a new vote thread, >>> simply >>> reply to the same thread with a new staging repository. >>> >>> But we should not conclude the vote until we are sure of 2. >>> >>> Thanks, >>> Robert >>> >>> On Thu, 2021-07-08 at 08:13 -0400, Cris Rockwell wrote: >>>> How about pmc members actually cast your votes on this release now? >>>> If there are enough+1 then it's fine. If somebody is actually >>>> trying >>>> to >>>> drag this out intentionally, thats not cool. >>>> >>>> On Thu, Jul 8, 2021, 6:22 AM Robert Munteanu <romb...@apache.org> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> The staging repository in question was under vote, no votes cast >>>>> ( >>>>> I >>>>> was preparing my +1 ) and was accidentally promoted. >>>>> >>>>> That means that the artifacts are on Maven Central without a >>>>> formal >>>>> vote from the PMC. >>>>> >>>>> What options do we have from here? Does anyone know of a similar >>>>> situation? If not, we can wait for an answer on the infra issue >>>>> [1]. >>>>> >>>>> Thanks, >>>>> Robert >>>>> >>>>> [1]: https://issues.apache.org/jira/browse/INFRA-22090 >>>>> >>>>> On Thu, 2021-07-08 at 12:16 +0200, Nicolas Peltier wrote: >>>>>> Ok, looks like it's over now to move it back, so either we >>>>>> retroactively >>>>>> vote for that artifact, either we redo a release :( >>>>>> sorry for that mess :( >>>>>> >>>>>> Le jeu. 8 juil. 2021 à 11:50, Nicolas Peltier >>>>>> <npelt...@apache.org> a >>>>>> écrit : >>>>>> >>>>>>> sorry Chris i mistakenly released the staging repository, and >>>>>>> now am >>>>>>> struggling to undo this, it's very likely we have to delete >>>>>>> it >>>>>>> all >>>>>>> together >>>>>>> :( >>>>>>> https://issues.apache.org/jira/browse/INFRA-22090 >>>>>>> >>>>>>> Le ven. 2 juil. 2021 à 17:41, Cris Rockwell >>>>>>> <cmroc...@umich.edu> a >>>>>>> écrit : >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> We solved 3 Jira issues in this initial release: >>>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210 >>>>>>>> < >>>>>>>> https://issues.apache.org/jira/projects/SLING/versions/12350210 >>>>>>>>> >>>>>>>> >>>>>>>> Staging repository: >>>>>>>> >>>>> https://repository.apache.org/content/repositories/orgapachesling-2490/ >>>>>>>> >>>>>>>> You can use this UNIX script to download the release and >>>>>>>> verify the >>>>>>>> signatures: >>>>>>>> >>>>>>>> >>>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD >>>>>>>> < >>>>>>>> >>>>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD >>>>>>>>> >>>>>>>> >>>>>>>> Usage: >>>>>>>> sh check_staged_release.sh 2490 /tmp/sling-staging >>>>>>>> >>>>>>>> Please vote to approve this release: >>>>>>>> >>>>>>>> [ ] +1 Approve the release >>>>>>>> [ ] 0 Don't care >>>>>>>> [ ] -1 Don't release, because ... >>>>>>>> >>>>>>>> This majority vote is open for at least 72 hours. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Cris >>>>>>> >>>>>>> >>>>> >>>>> >>>>> >>> >>> >> > >
