Re: [VOTE] UIMA uimaFIT 3.3.0 RC-2

Fri, 13 May 2022 01:19:23 -0700 

On 12. May 2022, at 18:20, Richard Eckart de Castilho <r...@apache.org> wrote:
> 
> Issues:              
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20UIMA%20AND%20fixVersion%20%3D%203.3.0uimafit
> Dist. artifacts:     
> https://dist.apache.org/repos/dist/dev/uima/uimafit-3.3.0-rc-2/
> Maven staging repo:  
> https://repository.apache.org/content/repositories/orgapacheuima-1273
> GitHub tag:          https://github.com/apache/uima-uimafit/tree/uimafit-3.3.0

Created working folder
```
% mkdir uimafit-vote
% cd uimafit-vote
```

Obtain release artifacts
```
% lftp -e "mget *; exit" 
https://dist.apache.org/repos/dist/dev/uima/uimafit-3.3.0-rc-2/
% lftp -e "mirror org; exit" 
https://repository.apache.org/content/repositories/orgapacheuima-1273
```

Validated signatures: OK
```
% gpg --verify uimafit-3.3.0-source-release.zip.asc
% find org -not '(' -name '*.md5' -or -name '*.sha*' -or -name '*.asc' -or 
-name 'maven-metadata.xml'  ')' -type f -print0 | xargs -I '{}' -0 -n1 gpg 
--verify '{}'.asc '{}'
```

Compared source release archive to tag: OK
```
% unzip uimafit-3.3.0-source-release.zip
% wget 
https://github.com/apache/uima-uimafit/archive/refs/tags/uimafit-3.3.0.zip
% unzip uimafit-3.3.0.zip
% diff -r uimafit-3.3.0 uima-uimafit-uimafit-3.3.0
Only in uima-uimafit-uimafit-3.3.0: .gitattributes
Only in uima-uimafit-uimafit-3.3.0: .gitignore
Only in uimafit-3.3.0: DEPENDENCIES
Only in uimafit-3.3.0: issuesFixed
Only in uimafit-3.3.0/uimafit-core: api-change-report
Only in uimafit-3.3.0/uimafit-cpe: api-change-report
Only in uimafit-3.3.0/uimafit-spring: api-change-report
```

Validated signatures: NOT OK

The hashes of the files deployed to the Maven Repository are not ok. For 
example, they have the wrong contents:

```
% cat 
org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f
  uimafit-maven-plugin-3.3.0-javadoc.jar
```

Also, the hash file names should use the *full* file name of the signed file 
and then just append their suffix, e.g. 
`org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.jar.sha512`.

Checking back with the UIMA Java SDK 3.3.0 release, we seem to have the same 
problem there. Looks like we'll have to re-release UIMA Java SDK as well...

> Please vote on release:

[x] -1 NOT OK to release

Best,

-- Richard

Reply via email to