[jira] [Updated] (RATIS-2435) ratis-bom POM is not signed during release staging

Fri, 13 Mar 2026 00:57:57 -0700 


     [ 
https://issues.apache.org/jira/browse/RATIS-2435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Doroszlai updated RATIS-2435:
------------------------------------
    Issue Type: Bug  (was: Improvement)

> ratis-bom POM is not signed during release staging
> --------------------------------------------------
>
>                 Key: RATIS-2435
>                 URL: https://issues.apache.org/jira/browse/RATIS-2435
>             Project: Ratis
>          Issue Type: Bug
>            Reporter: Xinyu Tan
>            Assignee: Xinyu Tan
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> *Description*
> When running the release process, the ratis-bom module's POM file is not 
> signed with GPG, causing the signature validation to fail during staging:
> Event: Failed: Signature Validation
> failureMessage: Missing Signature: 
> '/org/apache/ratis/ratis-bom/3.2.2/ratis-bom-3.2.2.pom.asc' does not exist 
> for 'ratis-bom-3.2.2.pom'.
> *Root Cause*
> The ratis-bom/pom.xml does not define a parent POM. Other modules (e.g., 
> ratis-client, ratis-server) inherit from the root pom.xml, which in turn 
> inherits from org.apache:apache:35. This chain allows them to inherit the 
> apache-release profile that includes the maven-gpg-plugin configuration for 
> signing
> release artifacts.
> org.apache:apache:35 (includes GPG signing config)
> └── org.apache.ratis:ratis (root pom.xml)
> ├── ratis-client (inherits → signed ✓)
> ├── ratis-server (inherits → signed ✓)
> └── ratis-bom (no parent → unsigned ✗)
> Since ratis-bom is a standalone POM without a parent, it does not inherit the 
> GPG signing configuration and thus its artifacts are not signed during 
> release.
> *Why not inherit Apache Parent POM?*
> Keeping ratis-bom independent is intentional and aligns with BOM design 
> principles:
>  - BOM is a pure dependency manifest for dependencyManagement import
>  - Apache Parent POM introduces unnecessary plugins (rat, enforcer, 
> checkstyle, etc.) that add no value to a BOM
>  - Only the GPG signing configuration is needed for release staging
> *Solution*
> Add an apache-release profile to ratis-bom/pom.xml with the maven-gpg-plugin 
> configuration



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to