Xinyu Tan created RATIS-2435:
--------------------------------
Summary: ratis-bom POM is not signed during release staging
Key: RATIS-2435
URL: https://issues.apache.org/jira/browse/RATIS-2435
Project: Ratis
Issue Type: Improvement
Reporter: Xinyu Tan
Assignee: Xinyu Tan
*Description*
When running the release process, the ratis-bom module's POM file is not signed
with GPG, causing the signature validation to fail during staging:
Event: Failed: Signature Validation
failureMessage: Missing Signature:
'/org/apache/ratis/ratis-bom/3.2.2/ratis-bom-3.2.2.pom.asc' does not exist for
'ratis-bom-3.2.2.pom'.
*Root Cause*
The ratis-bom/pom.xml does not define a parent POM. Other modules (e.g.,
ratis-client, ratis-server) inherit from the root pom.xml, which in turn
inherits from org.apache:apache:35. This chain allows them to inherit the
apache-release profile that includes the maven-gpg-plugin configuration for
signing
release artifacts.
org.apache:apache:35 (includes GPG signing config)
└── org.apache.ratis:ratis (root pom.xml)
├── ratis-client (inherits → signed ✓)
├── ratis-server (inherits → signed ✓)
└── ratis-bom (no parent → unsigned ✗)
Since ratis-bom is a standalone POM without a parent, it does not inherit the
GPG signing configuration and thus its artifacts are not signed during release.
*Why not inherit Apache Parent POM?*
Keeping ratis-bom independent is intentional and aligns with BOM design
principles:
- BOM is a pure dependency manifest for dependencyManagement import
- Apache Parent POM introduces unnecessary plugins (rat, enforcer, checkstyle,
etc.) that add no value to a BOM
- Only the GPG signing configuration is needed for release staging
*Solution*
Add an apache-release profile to ratis-bom/pom.xml with the maven-gpg-plugin
configuration
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
