On 12. May 2022, at 18:20, Richard Eckart de Castilho <r...@apache.org> wrote: > > Issues: > https://issues.apache.org/jira/issues/?jql=project%20%3D%20UIMA%20AND%20fixVersion%20%3D%203.3.0uimafit > Dist. artifacts: > https://dist.apache.org/repos/dist/dev/uima/uimafit-3.3.0-rc-2/ > Maven staging repo: > https://repository.apache.org/content/repositories/orgapacheuima-1273 > GitHub tag: https://github.com/apache/uima-uimafit/tree/uimafit-3.3.0
Created working folder ``` % mkdir uimafit-vote % cd uimafit-vote ``` Obtain release artifacts ``` % lftp -e "mget *; exit" https://dist.apache.org/repos/dist/dev/uima/uimafit-3.3.0-rc-2/ % lftp -e "mirror org; exit" https://repository.apache.org/content/repositories/orgapacheuima-1273 ``` Validated signatures: OK ``` % gpg --verify uimafit-3.3.0-source-release.zip.asc % find org -not '(' -name '*.md5' -or -name '*.sha*' -or -name '*.asc' -or -name 'maven-metadata.xml' ')' -type f -print0 | xargs -I '{}' -0 -n1 gpg --verify '{}'.asc '{}' ``` Compared source release archive to tag: OK ``` % unzip uimafit-3.3.0-source-release.zip % wget https://github.com/apache/uima-uimafit/archive/refs/tags/uimafit-3.3.0.zip % unzip uimafit-3.3.0.zip % diff -r uimafit-3.3.0 uima-uimafit-uimafit-3.3.0 Only in uima-uimafit-uimafit-3.3.0: .gitattributes Only in uima-uimafit-uimafit-3.3.0: .gitignore Only in uimafit-3.3.0: DEPENDENCIES Only in uimafit-3.3.0: issuesFixed Only in uimafit-3.3.0/uimafit-core: api-change-report Only in uimafit-3.3.0/uimafit-cpe: api-change-report Only in uimafit-3.3.0/uimafit-spring: api-change-report ``` Validated signatures: NOT OK The hashes of the files deployed to the Maven Repository are not ok. For example, they have the wrong contents: ``` % cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512 4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f uimafit-maven-plugin-3.3.0-javadoc.jar ``` Also, the hash file names should use the *full* file name of the signed file and then just append their suffix, e.g. `org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.jar.sha512`. Checking back with the UIMA Java SDK 3.3.0 release, we seem to have the same problem there. Looks like we'll have to re-release UIMA Java SDK as well... > Please vote on release: [x] -1 NOT OK to release Best, -- Richard