Thanks. So I assume the SHA and MD5 files are OK.
I'll put everything on my people.apache.org account later - I can't access it right now - and restart the vote. D. On Wed, Feb 17, 2010 at 4:49 PM, Daniel Kulp <[email protected]> wrote: > > Normally to generate the md5 and sha1, I just use the md5sum/md5 and > sha1sum/sah1 commands on pretty much any unix box. You could do it > right > on people.apache.org if you wanted. "sha1 -q file > file.sha1" > > Dan > > > On Wed February 17 2010 10:22:01 am Richard Hirsch wrote: > > Working on the problerm with signing the release and I'm getting the same > > problem that Bertrand describes. Maybe it is a difference between using > > SHA1 and SHA512. .. > > > > I verified it and it looks OK: > > > > C:\Program Files\GNU\GnuPG>gpg --verify > > apache-esme-1-0-0-incubating.src.tar.gz. > > asc apache-esme-1-0-0-incubating.src.tar.gz > > gpg: Unterschrift vom 02/17/10 15:48:32 mittels RSA-Schlüssel ID 6FACF917 > > gpg: Korrekte Unterschrift von "Richard Hirsch (CODE SIGNING KEY) < > > [email protected]>" > > > > I signed the release with the following commands: > > > > gpg --armor --output apache-esme-1-0-0-incubating.src.tar.gz.asc > > --detach-sig apache-esme-1-0-0-incubating.src.tar.gz > > gpg --print-md SHA512 apache-esme-1-0-0-incubating.src.tar.gz > > > apache-esme-1-0-0-incubating.src.tar.gz.sha > > gpg --print-md MD5 apache-esme-1-0-0-incubating.src.tar.gz > > > apache-esme-1-0-0-incubating.src.tar.gz.md5 > > > > > > What I don't know how to do is verify using MD5 or SHA? I found this > > sentence in the "Signing Releases" Apache Documen": "MD5 <#md5> and > > SHA<#sha-checksum>checksums provide a simple, means of verifying the > > integrity of a download. > > You can simply create a checksum (in the same way as the release manager) > > after download, and compare the result to the checksum downloaded from > the > > main Apache site. " but I have no idea how it is done. > > > > The contents of the files are > > > > * output apache-esme-1-0-0-incubating.src.tar.gz.asc: > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.10 (MingW32) > > > > iQIcBAABCgAGBQJLfAHAAAoJEItBUOZvrPkXfeQP/ie7n1axfF5xBb/HbtatCUzW > > TbYIznhhLZ4xq1bitxA5clSveUnH7O8oRsEmCUBbzday90qHhZUzkVEspr30DB/5 > > j9Tx2+Ov09lShX+L24rKGeL9ReZ5YbiuSxh7WmaESlnSnP3J5NMsG7Um+v2ICyhb > > NM1HUO7P1D5Xn9LZragOS0dt9VRAEb6h38rbBarRrFjKADf9gLqdkXmv7NgIWWwI > > AFSJKzUATShT6u4sRJDlauSB0VS8NGfV4F+10OKsmIIHbMyDyTt01chr4KCXcjnf > > siGHABBPBDUytjx648ohiXJPtmyovBTcqWtn3RF/dneSSCwibKgCGbJQgPCaWxvR > > uh14gLTdSt2c4VMs0reychMh/fGfAumuPDL2voS+AHc1QCALRiePnqgfxVwW40nP > > olQP5EPJpVr7vmOrOD29WgxEAlTqDsKLgTAkXAi1sPHpiHapDwu5PalaIMcmw8CS > > ZBj39pdKFLUQkxgPU08nS/2n6BUcRkNpH6e4ngfQIltSaYN501CUrqi3nLMwx006 > > 3zgTxm/ob6E6z13djolix2w0GQE6hkKDwesCj6K1h/sWp7y9rYiqIqS5A3WO+jAz > > yij43gkNYzPnjr8Dz8mJM53FWWA+kQvF8E1iesIdTk1s5IaUno9ipqFSHv6wf1TQ > > PfkCUjE05RyhSY3lDAmY > > =Y4I/ > > -----END PGP SIGNATURE----- > > > > > > * apache-esme-1-0-0-incubating.src.tar.gz.sha > > > > apache-esme-1-0-0-incubating.src.tar.gz: > > 771A97EB 34FD26C1 D431E4EA D7D4FC4C 3971DB42 F50B0B66 C32D601F 70D450FB > > 06F73667 > > 8E118141 5A83C40A 84C1ABDF 808551DC 10949049 1962C634 FFBFAE69 > > > > * apache-esme-1-0-0-incubating.src.tar.gz.md5 > > > > apache-esme-1-0-0-incubating.src.tar.gz: > > 8E 43 0D DF F8 FE 15 9B 22 47 C2 C0 CC 30 21 2C > > > > I then used this command: openssl sha1 > > apache-esme-1-0-0-incubating.src.tar.gz > > SHA1(apache-esme-1-0-0-incubating.src.tar.gz)= > > e87405b0df026fde41c65c31c11b8026c > > a06687d > > > > Does somebody have a clue if I'm doing something wrong... > > > > Thanks. > > > > D. > > > > On Tue, Feb 16, 2010 at 5:28 PM, Bertrand Delacretaz > > <[email protected] > > > > > wrote: > > > > > > Hi, > > > > > > On Mon, Feb 15, 2010 at 4:05 PM, Richard Hirsch <[email protected] > > > > > > > > wrote: > > > > ...The candidate can be found at: > > > > > > > > http://people.apache.org/~rhirsch/esme/<http://people.apache.org/%7Erhirsch/esme/> > <http://people.apache.org/%7Erh > > > > irsch/esme/> > > > > > > Unfortunately I'm -1 on the release, I have a few issues including a > > > GPL dependency. > > > > > > 1) jwebunit dependency is GPL > > > The server module depends on > > > > > > net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:jar:1.4.1:test > > > > > > which according to http://jwebunit.sourceforge.net/license.html is > GPL. > > > > > > 2) The sha1 digest does not match, did I do something wrong? > > > > > > $ openssl sha1 apache-esme-incubating-1.0-src.tar.gz > > > SHA1(apache-esme-incubating-1.0-src.tar.gz)= > > > a9ec8d95266d5944d493392a06eb1651c03222f1 > > > > > > $ cat apache-esme-incubating-1.0-src.tar.gz.sha > > > apache-esme-incubating-1.0-src.tar.gz: A53494C8 55474CE3 5AC20516 > > > C2448CB6 > > > > > > 64B3B76C 747BA64A FFC9A836 > EDAB8D86 > > > 4E0735CC AA29ACA9 07767C58 > D1C0FEDA > > > CA7E73A3 ADA3944D 464314B2 > 4BE0E476 > > > > > > 3) mvn dependency:analyze of the server module shows lots of unused > > > declared dependencies, those should be cleaned up, especially > > > openDMK:jdmkrt:jar which according to https://opendmk.dev.java.net/ is > > > either GPL or CDDL license. Not sure which parts of OpenDMK are which > > > license, but as it's unused better remove it. > > > > > > 4) When trying to build esme-java-client with "mvn clean install" I > > > get "Embedded error: Error while executing the external compiler" if > > > JAVA_HOME is not set. > > > > > > 5) apache-esme-incubating-1.0-src.tar.gz contains .svn folders, it > > > should not have that. You could have created the release using svn > > > export of > > > > http://svn.apache.org/repos/asf/incubator/esme/tags/apache-esme-1.0-incub > > > ating/ to avoid that. > > > > > > 6) I couldn't find license information for the > > > com.twitter:stats:jar:1.3:compile dependency, was that checked to be > > > ok? > > > > > > Sorry that I didn't have time to look at that during the ESME podling > > > vote. > > > > > > Apart from the GPL dependency the release preparation looks mostly ok, > > > rat reports are good, license/notice are provided, etc. > > > > > > -Bertrand > > -- > Daniel Kulp > [email protected] > http://www.dankulp.com/blog >
