Downloaded the src.gz and checked the md5, result OK. (Don't know how to check the ASC or SHA, but I can do if someone gives me some guidence, is there a tutorial I can follow?)
Followed instructions in BUILD, which appears to work OK except that the md5 for the generated src.gz is different from the one I downloaded. I also notice the if you run the install target and then re-run the dist target, you get a different md5 for the src.gz every time you do 'ant install' followed by 'ant dist'. I don't know if this is a problem but it looks as though the dist target picks up stuff left over from the install target, or else something is changing. I would have thought the first thing dist should do is 'clean' everything down to a known state? Also, is there a quick way to run the demos after a binary build? I know they are on the web, but it would be a good sanity check for users to prove that what they just downloaded / checked out works OK as well as compiles. I couldn't find any HTML wrappers for the demos and I also noted that non-java resources in the source folder weren't copied in to the ant-bin folder. I think it would be good to have a HTML wrapper for each demo. Hope that helps. Cheers, Chris 2009/4/2 Todd Volkert <[email protected]> > Ok, after several iterations, I believe we're ready for another call > for a sanity check on the release candidate archives before calling > for a vote on this list (which in turn will lead to an incubator PMC > vote). You can download the files at > http://people.apache.org/~tvolkert/pivot/<http://people.apache.org/%7Etvolkert/pivot/> > > > So the "Released Artifact" are the sources and the build system (incl > > instructions) required to produce a useful binary. The binary output > > is NOT included in the primary release artifact, but is "generated" by > > it. So; SVN --(packaging)--> Source Release --(build+package)--> > > Binary Release > > This is now exactly how it works. > > > 1. Create a target in the Ant build, that zips/tars up the SVN > > sources, not including the .svn directories. Sources in this instance > > means everything that is needed to build Pivot, except for "System > > Requirements" (listed in the README/BUILD). Ant and JDK is typical > > System Requirements, as are any external jar files that are only > > required for the build, BUT some people (like myself) prefer to have > > them part of the source dist. > > Done. This is the "dist" target. The JDK and Ant are listed as > system requirements in the BUILD file, and the NOTICE file contains > all the legal notices required by our other third party dependencies. > > > 2. That zip/tar IS your primary release artifact; > > apache-pivot-1.1-incubating.tar.gz > > Per the naming conventions I've seen in all other Apache projects, I > named this apache-pivot-1.1-incubating-src.tar.gz > > > 3. Using that zip/tar, execute another Ant target (for instance > > 'install') which compiles, jars and sticks everything into a > > 'generated/apache-pivot-1.1-incubating' directory. > > Done. This is the "install" target. It creates an > install/apache-pivot-1.1-incubating folder and zip/tar.gz files of > that folder. > > > 4. The same target could also create a zip/tar of the > > 'generated/apache-pivot-1.1-incubating', and that IS your > > supplementary binary release. > > Per the naming conventions I've seen in all other Apache projects, > this archive is called apache-pivot-1.1-incubating.tar.gz > > > 5. Ask a couple of community members to sanity check the binary > > release, and make sure it is useful. > > Developers on this list, can you please download the binary > distributions from my home directory at > http://people.apache.org/~tvolkert/pivot/<http://people.apache.org/%7Etvolkert/pivot/>and > try to use the JAR files > therein to make sure that they're ok? I will do the same. > > Mentors, can you please check out both the source archive and the > binary archive to make sure that both in in keeping with the Apache > Way? > > > 6. Let people worry about Maven distro separately. And perhaps later > > migrate to Maven build system, if you find Maven support important and > > want to simplify such process. > > Yes > > > 7. Finally, the release artifacts needs checksums and signatures. The > > PGP signature should be uploaded to at least one or two public PGP > > servers, such as pgp.mit.edu, and eventually be cross-signed in person > > with other people in Apache (for instance at an ApacheCon event). That > > creates the Apache Web of Trust. This may seem like a lot of work for > > nothing, but there are some people who takes this aspect of Apache > > very, very seriously. See > > http://www.apache.org/dev/release-signing.html for more details. > > I've uploaded my public key to both the MIT server and the SKS Network > server, as well as provided it in the KEYS file that is in the folder > listed above. All archives contain MD5 and SHA checksums, as well as > ASCII armored detached signatures. My key is not connected to the web > of trust because I have not yet attended an ApacheCon conference -- I > hope this will not hold up an incubating release. >
