Re: repository.apache.org, gpg signatures and site:attach-descriptor
What I saw is some of those staged artifacts were missing signatures. Nexus works correctly, it only complained the missing ones, not all. On Wed, Jan 13, 2010 at 2:32 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: 2010/1/13 Brian Fox bri...@infinity.nu: We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. I'm not sure, you'd need to ask Juven. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- - juven
repository.apache.org, gpg signatures and site:attach-descriptor
For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
You can use 3.x, I removed the site stuff from the lifecycle :-) On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Why is the site descriptor being generated for surefire? The shade release two weeks ago didn't generate a site file: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/1.3/ and neither did the patch plugin: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-patch- plugin/1.1.1/ Dan On Tue January 12 2010 12:51:55 pm Stephen Connolly wrote: The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Then project site generation will be borked (even more than usual) I've no issues using 3.0-SNAPSHOT 2010/1/12 Jason van Zyl ja...@sonatype.com: You can use 3.x, I removed the site stuff from the lifecycle :-) On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Look at the POM lifecycle. The site stuff is wedged in there. I removed this in 3.x. http://svn.apache.org/repos/asf/maven/maven-2/tags/maven-2.2.0/maven-core/src/main/resources/META-INF/plexus/components.xml On 2010-01-12, at 12:59 PM, Daniel Kulp wrote: Why is the site descriptor being generated for surefire? The shade release two weeks ago didn't generate a site file: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/1.3/ and neither did the patch plugin: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-patch- plugin/1.1.1/ Dan On Tue January 12 2010 12:51:55 pm Stephen Connolly wrote: The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inheritance reasons and therefor needs to be deployed to the repo. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Dennis Lundberg - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
On 13/01/2010, at 4:59 AM, Daniel Kulp wrote: Why is the site descriptor being generated for surefire? Because it has an inherited site descriptor to share across the subprojects: http://svn.apache.org/viewvc/maven/surefire/tags/surefire-2.5/src/site/site.xml?view=log For Stephen to work around this, he could remove that from target/checkout and then run release:perform again (And put it back for site deployment). We should look into why GPG isn't going the right thing regardless, otherwise it may affect other projects (in which case, Brian may need to implemented some exclusion rule for site descriptors on the check). - Brett -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)
On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inheritance reasons and therefor needs to be deployed to the repo. Yep, that's right. It's not actually coupled to the release, it is coupled to the POM lifecycle. I agree with Jason that that isn't the best, so probably in 3.0 that goal needs to be added to your POM by hand when you have a site descriptor to deploy (or the site plugin might change how it does things in some other way). I don't agree with the statement release and the documentation that goes along with it are completely separate, as I find that a useful way to work in general, and it is fundamental to publishing things like Javadoc and JXR, however it isn't really relevant to this problem as you've said. - Brett -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)
On 2010-01-12, at 5:52 PM, Brett Porter wrote: On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inheritance reasons and therefor needs to be deployed to the repo. Yep, that's right. No. It doesn't. I'm not planning on using the site plugin or Maven 3 and no one should have this stuff baked in by default. So now we can't use PGP validation because the site descriptor doesn't work which has nothing to do with trying to get the build deployed. It's not actually coupled to the release, it is coupled to the POM lifecycle. I agree with Jason that that isn't the best, so probably in 3.0 that goal needs to be added to your POM by hand when you have a site descriptor to deploy (or the site plugin might change how it does things in some other way). I don't agree with the statement release and the documentation that goes along with it are completely separate, as I find that a useful way to work in general, and it is fundamental to publishing things like Javadoc and JXR, however it isn't really relevant to this problem as you've said. I'll qualify that and say completely separate actions. In many cases documentation is not necessarily generated by Maven. Another process may tie these things together but it should not happen in the build. - Brett -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)
On 13/01/2010, at 1:23 PM, Jason van Zyl wrote: On 2010-01-12, at 5:52 PM, Brett Porter wrote: On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inheritance reasons and therefor needs to be deployed to the repo. Yep, that's right. No. It doesn't. I'm not planning on using the site plugin or Maven 3 and no one should have this stuff baked in by default. So now we can't use PGP validation because the site descriptor doesn't work which has nothing to do with trying to get the build deployed. I think we've crossed the streams - Dennis is talking about about how it works today, with Maven 2.2.1 - something needs to be fixed for that. It looks like this was a bug in the way the site descriptor was attached (otherwise it could have affected other use cases you might consider more legitimate :) As for Maven 3, I already agreed with you on decoupling it by default. It's not actually coupled to the release, it is coupled to the POM lifecycle. I agree with Jason that that isn't the best, so probably in 3.0 that goal needs to be added to your POM by hand when you have a site descriptor to deploy (or the site plugin might change how it does things in some other way). I don't agree with the statement release and the documentation that goes along with it are completely separate, as I find that a useful way to work in general, and it is fundamental to publishing things like Javadoc and JXR, however it isn't really relevant to this problem as you've said. I'll qualify that and say completely separate actions. In many cases documentation is not necessarily generated by Maven. Another process may tie these things together but it should not happen in the build. Sure... by default. Flipping to user mode - I would still like to use Maven to tie those things together, and in the instance where the documentation is generated by a Maven plugin (whether it be the site, dependency pulling docs from a repository, docbook, whatever), I'd like to retain the ability to have that in a single versioned build. Having them as some kind of sub-build where each is a separate action but you can still tie it all together is a possible alternative to the lifecycle interweaving mess. But this is way off in the future stuff - as long as Maven 3 can still do what I do today in some way it's all good. - Brett -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
2010/1/13 Brian Fox bri...@infinity.nu: We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. I'm not sure, you'd need to ask Juven. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org