Re: [VOTE] Release Log4Net 2.0.9
I would imagine that this would have to either happen on Apache infra or be a GH action administered by someone with uber rights, though, yes, this is a good option. I don't have all the working pieces in my flows, but it would be convenient for my packages to have a similar mechanism, so if this is something the PMC would be interested in, I could play-test it against PeanutButter.* before proposing an automated solution? -d On August 17, 2020 20:07:34 Dominik Psenner wrote: Is there an option to trust a ci machine and automate the publish with a push of a tag after a successful vote? With this, anyone having the possibility to push a tag can forge a release with almost no effort. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, Aug 17, 2020, 19:21 Davyd McColl wrote: Correct, nuget publish. An option, once I'm trusted, is to allow me to publish. My nuget login is done via Microsoft credentials for dav...@gmail.com, and is secured by 2FA, so the only real risk is how dodgy I am (: If it's of interest to anyone, my profile is at https://www.nuget.org/profiles/davydm -d On August 17, 2020 18:46:50 Dominik Psenner wrote: > I guess that would be a nuget publish. > > https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package > > The credentials to that account are stored in the private repos of logging > pmc. Most members of the pmc should be in the set of recipients with their > gpg key. > -- > Sent from my phone. Typos are a kind gift to anyone who happens to find > them. > > On Mon, Aug 17, 2020, 08:56 Davyd McColl wrote: > >> Great! >> >> How do we get the nupkg to nuget.org? This is the final step that most >> users are going to be interested in. >> >> Having a look at what's at the url you posted, I have ideas on how to >> streamline future releases, so the next time I'm in that area, I'm >> definitely implementing those ideas. I don't see changes to the Release >> Notes area -- if I were to try to streamline that into a release, would a >> CHANGELOG file be useful? Or is there a better way? >> >> -d >> On 2020/08/16 23:26:07, Matt Sicker wrote: >> I committed them to dist already. I don't know how long we should wait >> for any mirroring to catch up, though on my end, I see updated >> artifacts on https://downloads.apache.org/logging/log4net/ other than >> the release notes. >> >> On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: >> > >> > +1 to that! >> > >> > Let me know when these are published. I can update the web site to >> reflect that it is no longer dormant. >> > >> > Ralph >> > >> > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: >> > > >> > > Thanks so much for your help in releasing this! >> > > >> > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: >> > >> >> > >> I'll make changes to the automated build to affect all changes you >> have >> > >> made (and perhaps will make) automatically to future releases for the >> next >> > >> release. Apologies for making this more difficult than it needs to be >> (: >> > >> >> > >> -d >> > >> >> > >> >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: >> > >> >> > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries >> > >>> zip, and a rename of the files to include "apache" in the name. I've >> > >>> uploaded them to dist along with updating the KEYS file for log4net, >> > >>> though that should probably be merged together with the project-wide >> > >>> KEYS file in the parent directory. There's an outdated README.html in >> > >>> the directory still containing the old release notes, but we can >> > >>> address that next. >> > >>> >> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: >> > >> > One issue I found in one of the artifacts that I can address before >> > uploading since it wasn't signed is the binaries zip is missing the >> > LICENSE file. I'm not sure if there's a standard way to include that >> > in the nupkg file, but I did see that in its metadata, it explicitly >> > says the code is Apache2 licensed at least. >> > >> > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: >> > > >> > > I'll sign and publish the artifacts today. >> > > >> > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: >> > >> >> > >> Thanks Remko. That makes 3 +1 votes from PMC members. >> > >> >> > >> Ralph >> > >> >> > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: >> > >>> >> > >>> +1 Remko. >> > >>> >> > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: >> > >>> >> > +1 from me. We can handle the release signing afterwards as >> Ralph >> > suggests. >> > >> > On Mon, 3 Aug 2020 at 10:30, Ralph Goers >> > wrote: >> > > >> > > Can other PMC members please review this? It has been more >> than 72 >> > hours. >> > > >> > > Ralph >> > > >> > >> On Jul 30, 2020, at
Re: [VOTE] Release Log4Net 2.0.9
Is there an option to trust a ci machine and automate the publish with a push of a tag after a successful vote? With this, anyone having the possibility to push a tag can forge a release with almost no effort. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, Aug 17, 2020, 19:21 Davyd McColl wrote: > Correct, nuget publish. An option, once I'm trusted, is to allow me to > publish. My nuget login is done via Microsoft credentials for > dav...@gmail.com, and is secured by 2FA, so the only real risk is how > dodgy > I am (: > > If it's of interest to anyone, my profile is at > https://www.nuget.org/profiles/davydm > > -d > > > On August 17, 2020 18:46:50 Dominik Psenner wrote: > > > I guess that would be a nuget publish. > > > > https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package > > > > The credentials to that account are stored in the private repos of > logging > > pmc. Most members of the pmc should be in the set of recipients with > their > > gpg key. > > -- > > Sent from my phone. Typos are a kind gift to anyone who happens to find > > them. > > > > On Mon, Aug 17, 2020, 08:56 Davyd McColl wrote: > > > >> Great! > >> > >> How do we get the nupkg to nuget.org? This is the final step that most > >> users are going to be interested in. > >> > >> Having a look at what's at the url you posted, I have ideas on how to > >> streamline future releases, so the next time I'm in that area, I'm > >> definitely implementing those ideas. I don't see changes to the Release > >> Notes area -- if I were to try to streamline that into a release, would > a > >> CHANGELOG file be useful? Or is there a better way? > >> > >> -d > >> On 2020/08/16 23:26:07, Matt Sicker wrote: > >> I committed them to dist already. I don't know how long we should wait > >> for any mirroring to catch up, though on my end, I see updated > >> artifacts on https://downloads.apache.org/logging/log4net/ other than > >> the release notes. > >> > >> On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > >> > > >> > +1 to that! > >> > > >> > Let me know when these are published. I can update the web site to > >> reflect that it is no longer dormant. > >> > > >> > Ralph > >> > > >> > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > >> > > > >> > > Thanks so much for your help in releasing this! > >> > > > >> > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > >> > >> > >> > >> I'll make changes to the automated build to affect all changes you > >> have > >> > >> made (and perhaps will make) automatically to future releases for > the > >> next > >> > >> release. Apologies for making this more difficult than it needs to > be > >> (: > >> > >> > >> > >> -d > >> > >> > >> > >> > >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > >> > >> > >> > >>> Just a simple copy of the LICENSE and NOTICE file into the > binaries > >> > >>> zip, and a rename of the files to include "apache" in the name. > I've > >> > >>> uploaded them to dist along with updating the KEYS file for > log4net, > >> > >>> though that should probably be merged together with the > project-wide > >> > >>> KEYS file in the parent directory. There's an outdated > README.html in > >> > >>> the directory still containing the old release notes, but we can > >> > >>> address that next. > >> > >>> > >> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > >> > > >> > One issue I found in one of the artifacts that I can address > before > >> > uploading since it wasn't signed is the binaries zip is missing > the > >> > LICENSE file. I'm not sure if there's a standard way to include > that > >> > in the nupkg file, but I did see that in its metadata, it > explicitly > >> > says the code is Apache2 licensed at least. > >> > > >> > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > >> > > > >> > > I'll sign and publish the artifacts today. > >> > > > >> > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > >> > >> > >> > >> Thanks Remko. That makes 3 +1 votes from PMC members. > >> > >> > >> > >> Ralph > >> > >> > >> > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > >> > >>> > >> > >>> +1 Remko. > >> > >>> > >> > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > >> > >>> > >> > +1 from me. We can handle the release signing afterwards as > >> Ralph > >> > suggests. > >> > > >> > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > >> > wrote: > >> > > > >> > > Can other PMC members please review this? It has been more > >> than 72 > >> > hours. > >> > > > >> > > Ralph > >> > > > >> > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > >> > wrote: > >> > >> > >> > >> Hi all, I've never done this before, so bear with me if I > >> fluff it: > >> > >> > >> > >> This is a proposed vote to release log4net
Re: [VOTE] Release Log4Net 2.0.9
Correct, nuget publish. An option, once I'm trusted, is to allow me to publish. My nuget login is done via Microsoft credentials for dav...@gmail.com, and is secured by 2FA, so the only real risk is how dodgy I am (: If it's of interest to anyone, my profile is at https://www.nuget.org/profiles/davydm -d On August 17, 2020 18:46:50 Dominik Psenner wrote: I guess that would be a nuget publish. https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package The credentials to that account are stored in the private repos of logging pmc. Most members of the pmc should be in the set of recipients with their gpg key. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, Aug 17, 2020, 08:56 Davyd McColl wrote: Great! How do we get the nupkg to nuget.org? This is the final step that most users are going to be interested in. Having a look at what's at the url you posted, I have ideas on how to streamline future releases, so the next time I'm in that area, I'm definitely implementing those ideas. I don't see changes to the Release Notes area -- if I were to try to streamline that into a release, would a CHANGELOG file be useful? Or is there a better way? -d On 2020/08/16 23:26:07, Matt Sicker wrote: I committed them to dist already. I don't know how long we should wait for any mirroring to catch up, though on my end, I see updated artifacts on https://downloads.apache.org/logging/log4net/ other than the release notes. On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > > +1 to that! > > Let me know when these are published. I can update the web site to reflect that it is no longer dormant. > > Ralph > > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > > > > Thanks so much for your help in releasing this! > > > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > >> > >> I'll make changes to the automated build to affect all changes you have > >> made (and perhaps will make) automatically to future releases for the next > >> release. Apologies for making this more difficult than it needs to be (: > >> > >> -d > >> > >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > >> > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries > >>> zip, and a rename of the files to include "apache" in the name. I've > >>> uploaded them to dist along with updating the KEYS file for log4net, > >>> though that should probably be merged together with the project-wide > >>> KEYS file in the parent directory. There's an outdated README.html in > >>> the directory still containing the old release notes, but we can > >>> address that next. > >>> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > > One issue I found in one of the artifacts that I can address before > uploading since it wasn't signed is the binaries zip is missing the > LICENSE file. I'm not sure if there's a standard way to include that > in the nupkg file, but I did see that in its metadata, it explicitly > says the code is Apache2 licensed at least. > > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > > > > I'll sign and publish the artifacts today. > > > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > >> > >> Thanks Remko. That makes 3 +1 votes from PMC members. > >> > >> Ralph > >> > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > >>> > >>> +1 Remko. > >>> > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > >>> > +1 from me. We can handle the release signing afterwards as Ralph > suggests. > > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > wrote: > > > > Can other PMC members please review this? It has been more than 72 > hours. > > > > Ralph > > > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > wrote: > >> > >> Hi all, I've never done this before, so bear with me if I fluff it: > >> > >> This is a proposed vote to release log4net 2.0.9 from PR > https://github.com/apache/logging-log4net/pull/61 > >> > >> Release artifacts (including source zip) are at: > > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > >> Source can be checked out from > https://github.com/fluffynuts/logging-log4net/logging-log4net, tag rel/ > 2.0.9. I can't push tags to the upstream, but this tag is exactly the > same commit as the last in the PR mentioned above, which was > accepted into > master a few days ago. > >> > >> Please check out the artifacts & if everyone is ok with what's there, > please can someone with the rights to publish to nuget do so. > >> > >> Once I've seen how this process works, I'd like to tackle the CVE that > has been brought up on this list more than once --
Re: [VOTE] Release Log4Net 2.0.9
I guess that would be a nuget publish. https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package The credentials to that account are stored in the private repos of logging pmc. Most members of the pmc should be in the set of recipients with their gpg key. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, Aug 17, 2020, 08:56 Davyd McColl wrote: > Great! > > How do we get the nupkg to nuget.org? This is the final step that most > users are going to be interested in. > > Having a look at what's at the url you posted, I have ideas on how to > streamline future releases, so the next time I'm in that area, I'm > definitely implementing those ideas. I don't see changes to the Release > Notes area -- if I were to try to streamline that into a release, would a > CHANGELOG file be useful? Or is there a better way? > > -d > On 2020/08/16 23:26:07, Matt Sicker wrote: > I committed them to dist already. I don't know how long we should wait > for any mirroring to catch up, though on my end, I see updated > artifacts on https://downloads.apache.org/logging/log4net/ other than > the release notes. > > On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > > > > +1 to that! > > > > Let me know when these are published. I can update the web site to > reflect that it is no longer dormant. > > > > Ralph > > > > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > > > > > > Thanks so much for your help in releasing this! > > > > > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > > >> > > >> I'll make changes to the automated build to affect all changes you > have > > >> made (and perhaps will make) automatically to future releases for the > next > > >> release. Apologies for making this more difficult than it needs to be > (: > > >> > > >> -d > > >> > > >> > > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > > >> > > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries > > >>> zip, and a rename of the files to include "apache" in the name. I've > > >>> uploaded them to dist along with updating the KEYS file for log4net, > > >>> though that should probably be merged together with the project-wide > > >>> KEYS file in the parent directory. There's an outdated README.html in > > >>> the directory still containing the old release notes, but we can > > >>> address that next. > > >>> > > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > > > > One issue I found in one of the artifacts that I can address before > > uploading since it wasn't signed is the binaries zip is missing the > > LICENSE file. I'm not sure if there's a standard way to include that > > in the nupkg file, but I did see that in its metadata, it explicitly > > says the code is Apache2 licensed at least. > > > > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > > > > > > I'll sign and publish the artifacts today. > > > > > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > > >> > > >> Thanks Remko. That makes 3 +1 votes from PMC members. > > >> > > >> Ralph > > >> > > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > > >>> > > >>> +1 Remko. > > >>> > > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > > >>> > > +1 from me. We can handle the release signing afterwards as > Ralph > > suggests. > > > > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > > wrote: > > > > > > Can other PMC members please review this? It has been more > than 72 > > hours. > > > > > > Ralph > > > > > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > > wrote: > > >> > > >> Hi all, I've never done this before, so bear with me if I > fluff it: > > >> > > >> This is a proposed vote to release log4net 2.0.9 from PR > > https://github.com/apache/logging-log4net/pull/61 > > >> > > >> Release artifacts (including source zip) are at: > > > > > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > > >> Source can be checked out from > > https://github.com/fluffynuts/logging-log4net/logging-log4net, > tag rel/ > > 2.0.9. I can't push tags to the upstream, but this tag is > exactly the > > same commit as the last in the PR mentioned above, which was > > accepted into > > master a few days ago. > > >> > > >> Please check out the artifacts & if everyone is ok with > what's there, > > please can someone with the rights to publish to nuget do so. > > >> > > >> Once I've seen how this process works, I'd like to tackle the > CVE that > > has been brought up on this list more than once -- it's a > simple change > > which was already committed to the develop branch some time > ago, so > > there > > are a
Re: [VOTE] Release Log4Net 2.0.9
The nuget.org question is probably of the highest priority - that's how most people are going to get any .net package release. If it's not on nuget.org, it might as well not be released. Any idea who would know about releasing there? Is there someone I can bother? -d On August 17, 2020 18:08:15 Matt Sicker wrote: The release notes are generated from the README.html file in the dist area. I'm not sure where they're generated from, but some sort of changelog file to go alongside the artifacts could be helpful here. Otherwise, we'd typically only worry about the download links on the logging.apache.org site. As for nuget, I'm not sure about that. On Mon, 17 Aug 2020 at 01:56, Davyd McColl wrote: Great! How do we get the nupkg to nuget.org? This is the final step that most users are going to be interested in. Having a look at what's at the url you posted, I have ideas on how to streamline future releases, so the next time I'm in that area, I'm definitely implementing those ideas. I don't see changes to the Release Notes area -- if I were to try to streamline that into a release, would a CHANGELOG file be useful? Or is there a better way? -d On 2020/08/16 23:26:07, Matt Sicker wrote: I committed them to dist already. I don't know how long we should wait for any mirroring to catch up, though on my end, I see updated artifacts on https://downloads.apache.org/logging/log4net/ other than the release notes. On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > > +1 to that! > > Let me know when these are published. I can update the web site to reflect that it is no longer dormant. > > Ralph > > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > > > > Thanks so much for your help in releasing this! > > > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > >> > >> I'll make changes to the automated build to affect all changes you have > >> made (and perhaps will make) automatically to future releases for the next > >> release. Apologies for making this more difficult than it needs to be (: > >> > >> -d > >> > >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > >> > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries > >>> zip, and a rename of the files to include "apache" in the name. I've > >>> uploaded them to dist along with updating the KEYS file for log4net, > >>> though that should probably be merged together with the project-wide > >>> KEYS file in the parent directory. There's an outdated README.html in > >>> the directory still containing the old release notes, but we can > >>> address that next. > >>> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > > One issue I found in one of the artifacts that I can address before > uploading since it wasn't signed is the binaries zip is missing the > LICENSE file. I'm not sure if there's a standard way to include that > in the nupkg file, but I did see that in its metadata, it explicitly > says the code is Apache2 licensed at least. > > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > > > > I'll sign and publish the artifacts today. > > > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > >> > >> Thanks Remko. That makes 3 +1 votes from PMC members. > >> > >> Ralph > >> > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > >>> > >>> +1 Remko. > >>> > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > >>> > +1 from me. We can handle the release signing afterwards as Ralph > suggests. > > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > wrote: > > > > Can other PMC members please review this? It has been more than 72 > hours. > > > > Ralph > > > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > wrote: > >> > >> Hi all, I've never done this before, so bear with me if I fluff it: > >> > >> This is a proposed vote to release log4net 2.0.9 from PR > https://github.com/apache/logging-log4net/pull/61 > >> > >> Release artifacts (including source zip) are at: > > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > >> Source can be checked out from > https://github.com/fluffynuts/logging-log4net/logging-log4net, tag rel/ > 2.0.9. I can't push tags to the upstream, but this tag is exactly the > same commit as the last in the PR mentioned above, which was > accepted into > master a few days ago. > >> > >> Please check out the artifacts & if everyone is ok with what's there, > please can someone with the rights to publish to nuget do so. > >> > >> Once I've seen how this process works, I'd like to tackle the CVE that > has been brought up on this list more than once -- it's a simple change >
Re: [VOTE] Release Log4Net 2.0.9
The release notes are generated from the README.html file in the dist area. I'm not sure where they're generated from, but some sort of changelog file to go alongside the artifacts could be helpful here. Otherwise, we'd typically only worry about the download links on the logging.apache.org site. As for nuget, I'm not sure about that. On Mon, 17 Aug 2020 at 01:56, Davyd McColl wrote: > > Great! > > How do we get the nupkg to nuget.org? This is the final step that most users > are going to be interested in. > > Having a look at what's at the url you posted, I have ideas on how to > streamline future releases, so the next time I'm in that area, I'm definitely > implementing those ideas. I don't see changes to the Release Notes area -- if > I were to try to streamline that into a release, would a CHANGELOG file be > useful? Or is there a better way? > > -d > On 2020/08/16 23:26:07, Matt Sicker wrote: > I committed them to dist already. I don't know how long we should wait > for any mirroring to catch up, though on my end, I see updated > artifacts on https://downloads.apache.org/logging/log4net/ other than > the release notes. > > On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > > > > +1 to that! > > > > Let me know when these are published. I can update the web site to reflect > > that it is no longer dormant. > > > > Ralph > > > > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > > > > > > Thanks so much for your help in releasing this! > > > > > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > > >> > > >> I'll make changes to the automated build to affect all changes you have > > >> made (and perhaps will make) automatically to future releases for the > > >> next > > >> release. Apologies for making this more difficult than it needs to be (: > > >> > > >> -d > > >> > > >> > > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > > >> > > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries > > >>> zip, and a rename of the files to include "apache" in the name. I've > > >>> uploaded them to dist along with updating the KEYS file for log4net, > > >>> though that should probably be merged together with the project-wide > > >>> KEYS file in the parent directory. There's an outdated README.html in > > >>> the directory still containing the old release notes, but we can > > >>> address that next. > > >>> > > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > > > > One issue I found in one of the artifacts that I can address before > > uploading since it wasn't signed is the binaries zip is missing the > > LICENSE file. I'm not sure if there's a standard way to include that > > in the nupkg file, but I did see that in its metadata, it explicitly > > says the code is Apache2 licensed at least. > > > > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > > > > > > I'll sign and publish the artifacts today. > > > > > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > > >> > > >> Thanks Remko. That makes 3 +1 votes from PMC members. > > >> > > >> Ralph > > >> > > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > > >>> > > >>> +1 Remko. > > >>> > > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > > >>> > > +1 from me. We can handle the release signing afterwards as Ralph > > suggests. > > > > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > > wrote: > > > > > > Can other PMC members please review this? It has been more than 72 > > hours. > > > > > > Ralph > > > > > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > > wrote: > > >> > > >> Hi all, I've never done this before, so bear with me if I fluff > > >> it: > > >> > > >> This is a proposed vote to release log4net 2.0.9 from PR > > https://github.com/apache/logging-log4net/pull/61 > > >> > > >> Release artifacts (including source zip) are at: > > > > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > > >> Source can be checked out from > > https://github.com/fluffynuts/logging-log4net/logging-log4net, tag > > rel/ > > 2.0.9. I can't push tags to the upstream, but this tag is exactly > > the > > same commit as the last in the PR mentioned above, which was > > accepted into > > master a few days ago. > > >> > > >> Please check out the artifacts & if everyone is ok with what's > > >> there, > > please can someone with the rights to publish to nuget do so. > > >> > > >> Once I've seen how this process works, I'd like to tackle the > > >> CVE that > > has been brought up on this list more than once -- it's a simple > > change > > which was already committed
Re: [VOTE] [log4xx] Release log4cxx 0.11.0
I am using a recent version in production Ubuntu servers, so it is definitely release ready. +1 On Mon, Aug 17, 2020, 7:27 PM Christian Grobmeier wrote: > Hello, > > I am not an expert on c++ or something, but I looked on the content, read > this thread and think it is safe to release this. However, my hope is that > in future more competent cxx devs than me would check it :) > > I vote +1 also > > Cheers, > Christian > > On Mon, Aug 17, 2020, at 08:08, Ralph Goers wrote: > > I noticed that the files have she and md5 files. We are not supposed to > > use either of these any more and only use sha512. I can fix that. > > > > I vote +1 > > > > Ralph > > > > > > > > > > > On Aug 9, 2020, at 10:24 AM, Robert Middleton > wrote: > > > > > > I've run through the release of log4cxx 0.11.0. There's still > something > > > strange about how it all works(mostly due to the tooling of shell > > > script/maven/ant/cmake/autotools). However, I do believe that I have a > > > workable release at this point. A quick note on the release: I did the > > > 'mvn release:prepare' manually, which is where these artifacts come > from; > > > running through the 'mvn release:perform' causes the generated files > to be > > > -SNAPSHOT versioned, instead of 0.11.0. This means that the version > of the > > > pom.xml in the tag is still 0.11.0-SNAPSHOT, but since maven isn't > really > > > used to build I don't think this will be an issue. > > > > > > Artifacts uploaded here: > > > https://dist.apache.org/repos/dist/dev/logging/log4cxx/ > > > tag: https://github.com/apache/logging-log4cxx/tree/v0.11.0-RC2 > > > > > > The artifacts are signed, although I still need to send my key to Matt > so > > > he can import it into the logging KEYS file. > > > > > > -Robert Middleton > > > > > > >
Re: [VOTE] [log4xx] Release log4cxx 0.11.0
Hello, I am not an expert on c++ or something, but I looked on the content, read this thread and think it is safe to release this. However, my hope is that in future more competent cxx devs than me would check it :) I vote +1 also Cheers, Christian On Mon, Aug 17, 2020, at 08:08, Ralph Goers wrote: > I noticed that the files have she and md5 files. We are not supposed to > use either of these any more and only use sha512. I can fix that. > > I vote +1 > > Ralph > > > > > > On Aug 9, 2020, at 10:24 AM, Robert Middleton wrote: > > > > I've run through the release of log4cxx 0.11.0. There's still something > > strange about how it all works(mostly due to the tooling of shell > > script/maven/ant/cmake/autotools). However, I do believe that I have a > > workable release at this point. A quick note on the release: I did the > > 'mvn release:prepare' manually, which is where these artifacts come from; > > running through the 'mvn release:perform' causes the generated files to be > > -SNAPSHOT versioned, instead of 0.11.0. This means that the version of the > > pom.xml in the tag is still 0.11.0-SNAPSHOT, but since maven isn't really > > used to build I don't think this will be an issue. > > > > Artifacts uploaded here: > > https://dist.apache.org/repos/dist/dev/logging/log4cxx/ > > tag: https://github.com/apache/logging-log4cxx/tree/v0.11.0-RC2 > > > > The artifacts are signed, although I still need to send my key to Matt so > > he can import it into the logging KEYS file. > > > > -Robert Middleton > > >
Re: [VOTE] [log4xx] Release log4cxx 0.11.0
Guten Tag Ralph Goers,
am Montag, 17. August 2020 um 08:08 schrieben Sie:
> I noticed that the files have she and md5 files. We are not
> supposed to use either of these any more and only use sha512. I can fix that.
While the file extension is named ".sha", SHA-512 is calculated
already:
> gpg -ab --yes "${file}" > "${file}.asc"
> md5sum"${file}" > "${file}.md5"
> sha512sum "${file}" > "${file}.sha"
So only the extension needs to be changed to whatever you prefer and
optionally MD5 removed.
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...05151- 9468- 55
Fax...05151- 9468- 88
Mobil..0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
Re: [VOTE] Release Log4Net 2.0.9
Great! How do we get the nupkg to nuget.org? This is the final step that most users are going to be interested in. Having a look at what's at the url you posted, I have ideas on how to streamline future releases, so the next time I'm in that area, I'm definitely implementing those ideas. I don't see changes to the Release Notes area -- if I were to try to streamline that into a release, would a CHANGELOG file be useful? Or is there a better way? -d On 2020/08/16 23:26:07, Matt Sicker wrote: I committed them to dist already. I don't know how long we should wait for any mirroring to catch up, though on my end, I see updated artifacts on https://downloads.apache.org/logging/log4net/ other than the release notes. On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > > +1 to that! > > Let me know when these are published. I can update the web site to reflect > that it is no longer dormant. > > Ralph > > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > > > > Thanks so much for your help in releasing this! > > > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > >> > >> I'll make changes to the automated build to affect all changes you have > >> made (and perhaps will make) automatically to future releases for the next > >> release. Apologies for making this more difficult than it needs to be (: > >> > >> -d > >> > >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > >> > >>> Just a simple copy of the LICENSE and NOTICE file into the binaries > >>> zip, and a rename of the files to include "apache" in the name. I've > >>> uploaded them to dist along with updating the KEYS file for log4net, > >>> though that should probably be merged together with the project-wide > >>> KEYS file in the parent directory. There's an outdated README.html in > >>> the directory still containing the old release notes, but we can > >>> address that next. > >>> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > > One issue I found in one of the artifacts that I can address before > uploading since it wasn't signed is the binaries zip is missing the > LICENSE file. I'm not sure if there's a standard way to include that > in the nupkg file, but I did see that in its metadata, it explicitly > says the code is Apache2 licensed at least. > > On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > > > > I'll sign and publish the artifacts today. > > > > On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > >> > >> Thanks Remko. That makes 3 +1 votes from PMC members. > >> > >> Ralph > >> > >>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > >>> > >>> +1 Remko. > >>> > >>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > >>> > +1 from me. We can handle the release signing afterwards as Ralph > suggests. > > On Mon, 3 Aug 2020 at 10:30, Ralph Goers > wrote: > > > > Can other PMC members please review this? It has been more than 72 > hours. > > > > Ralph > > > >> On Jul 30, 2020, at 11:17 PM, Davyd McColl > wrote: > >> > >> Hi all, I've never done this before, so bear with me if I fluff it: > >> > >> This is a proposed vote to release log4net 2.0.9 from PR > https://github.com/apache/logging-log4net/pull/61 > >> > >> Release artifacts (including source zip) are at: > > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > >> Source can be checked out from > https://github.com/fluffynuts/logging-log4net/logging-log4net, tag > rel/ > 2.0.9. I can't push tags to the upstream, but this tag is exactly the > same commit as the last in the PR mentioned above, which was > accepted into > master a few days ago. > >> > >> Please check out the artifacts & if everyone is ok with what's > >> there, > please can someone with the rights to publish to nuget do so. > >> > >> Once I've seen how this process works, I'd like to tackle the CVE > >> that > has been brought up on this list more than once -- it's a simple > change > which was already committed to the develop branch some time ago, so > there > are a couple of options here: > >> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only > that change > >> 2. trawl the develop branch to see what else was already solved in > there, and get that out as 2.0.10, and perhaps close out that branch > to > avoid future confusion. > >> > >> Thanks for your time > >> -d > > > > > > > -- > Matt Sicker > > >> > >> > > > > > > -- > > Matt Sicker > > > >
Re: [VOTE] [log4xx] Release log4cxx 0.11.0
I noticed that the files have she and md5 files. We are not supposed to use either of these any more and only use sha512. I can fix that. I vote +1 Ralph > On Aug 9, 2020, at 10:24 AM, Robert Middleton wrote: > > I've run through the release of log4cxx 0.11.0. There's still something > strange about how it all works(mostly due to the tooling of shell > script/maven/ant/cmake/autotools). However, I do believe that I have a > workable release at this point. A quick note on the release: I did the > 'mvn release:prepare' manually, which is where these artifacts come from; > running through the 'mvn release:perform' causes the generated files to be > -SNAPSHOT versioned, instead of 0.11.0. This means that the version of the > pom.xml in the tag is still 0.11.0-SNAPSHOT, but since maven isn't really > used to build I don't think this will be an issue. > > Artifacts uploaded here: > https://dist.apache.org/repos/dist/dev/logging/log4cxx/ > tag: https://github.com/apache/logging-log4cxx/tree/v0.11.0-RC2 > > The artifacts are signed, although I still need to send my key to Matt so > he can import it into the logging KEYS file. > > -Robert Middleton
