[jira] [Created] (XMLBEANS-558) Download page gpg example needs second parameter

[Sebb (Jira)]

Sebb created XMLBEANS-558:
-

 Summary:  Download page gpg example needs second parameter
 Key: XMLBEANS-558
 URL: https://issues.apache.org/jira/browse/XMLBEANS-558
 Project: XMLBeans
  Issue Type: Bug
Reporter: Sebb


It is important that the file being checked is also specified [1] on the gpg 
command line [2]

If the second paramater is omitted, gpg can report success without actually 
checking the main artifact. This should not happen on correctly constructed ASF 
downloads, as we only provide detached sigs, but we should not be documenting 
bad practise.

Note: the first example is correct, but the sample verification sequence omits 
the second parameter in:

gpg --verify xmlbeans-bin-3.1.0.tgz.asc

[1] https://www.apache.org/info/verification.html#specify_both
[2] https://xmlbeans.apache.org/download/



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Re: Announcement wasn't accepted

[sebb]

I don't think the download directory locations are a problem.

However the download page has several problems:

https://xmlbeans.apache.org/sourceAndBinaries/

- no links to KEYS, sigs, hashes or even release artifacts.
- should not link to unreleased code (ie. no links to SVN)

Have a look at http://cxf.apache.org/download.html for a possible layout
with all the required information.
There are lots of others.


On 4 July 2018 at 22:24, Andreas Beeker  wrote:

> FYI ... the announcement wasn't accepted, see below comments.
>
> so it looks like, I need to move the files to the location I originally
> intended.
>
> Andi
>
>
>  Forwarded Message 
> Subject: Returned post for annou...@apache.org
> Date: 4 Jul 2018 21:15:34 -
> From: announce-ow...@apache.org
> To: kiwiwi...@apache.org
>
>
> Hi! This is the ezmlm program. I'm managing the
> annou...@apache.org mailing list.
>
> I'm sorry, your message (enclosed) was not accepted by the moderator.
> If the moderator has made any comments, they are shown below.
>
>  >
>
> Announcements of Apache project releases must contain a link to the
> relevant
> download page, which might be hosted on an Apache site or a third party
> site
> such as github.com. [1]
>
> The download page must provide public download links where current official
> source releases and accompanying cryptographic files may be obtained. [2]
>
> Links to the download artifacts must support downloads from mirrors. Links
> to
> metadata (SHA, ASC) must be from https://www.apache.org/dist/ roject>/
> MD5 is no longer considered useful and should not be used. SHA is required.
> Links to KEYS must be from https://www.apache.org/dist// not
> release
> specific.
>
> Announcements that contain a link to the dyn/closer page alone will be
> rejected by the moderators.
>
> Announcements that contain a link to a web page that does not include a
> link
> to a mirror to the artifact plus links to the signature and at least one
> sha
> checksum will be rejected.
>
> Announcements that link to dist.apache.org will not be accepted.
> Likewise ones which link to SVN or Git code repos.
>
> [1] http://www.apache.org/legal/release-policy.html#release-announcements
> [2] https://www.apache.org/dev/release-distribution#download-links
>
> <  <
>
>
>

Re: XMLBeans 3.0.0 release vote

[sebb]

On 22 June 2018 at 21:49, Andreas Beeker  wrote:
> I've just realized, that you've done the changes to the github mirror.
> In the context of POI, I'm looking at github only as a source for patches, 
> but not as our project repo.
> So I try to integrate your changes locally and then to the svn repo ...

Huh?
If GitHub is set up as a proper mirror, it should not differ from the
project repo.

There should be only one master repo which holds all changes.
If that is not the case, it seems to me that something has gone badly wrong.

> Andi
>
> On 6/22/18 10:35 PM, Andreas Beeker wrote:
>> Before I vote, I'd like to see the XmlBeans 3.0.0 RC version in our POI build
>> and although you've removed and then reverted it, it would be nice, if
>> we don't need to do the piccolo modifications.
>>
>> So it looks like I need to do those modifications locally and find out why
>> the piccolo stuff makes problems ...
>>
>> Andi
>>
>>
>
>

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Re: Non-maintainer upload of bugfixes for the XMLBeans library in the Attic

[sebb]

On 7 November 2017 at 07:20, jan iversen  wrote:
>
>
> Sent from my iPad
>
>> On 6 Nov 2017, at 21:47, Dominik Stadler  wrote:
>>
>> Hi,
>>
>> The Apache XMLBeans library was moved to the Attic a few years ago
>> (05/2014), however Apache POI still uses the library as it's core XML
>> binding framework.
>>
>> While the Apache POI PMC and the development community is already
>> discussing possible replacements for some time, use of XMLBeans is still
>> deeply rooted and thus hard to replace quickly.
>>
>> Over time, we discovered a few grave bugs in XMLBeans which lead to
>> bug-reports that we cannot fix ourselves.
>>
>> Therefore we would like to start discussion about an NMU of XMLBeans to get
>> a fix for the most pressing issues.
>>
>> See https://bz.apache.org/bugzilla/show_bug.cgi?id=59268 for the full
>> discussion,and https://github.com/pjfanning/xmlbeans for a fork with
>> initial bugfixes.
>>
>> Among others, we would like to fix the following, changes for these are
>> already applied and verified in the github fork:
>> * the official XMLBeans-JAR contains duplicate classes, making it
>> impossible to use it on Android as the Android build fails due to this
>> * cannot use Unicode surogates, thus affecting use of Apache POI in
>> non-latin-script areas
>> * Remove W3C and JAVAX classes which are not needed any more since Java 6
>> (current Apache POI development is on Java 8)
>>
>>
>> So is there a precedent for something like this? What steps do we need to
>> make to get an updated version of XMLBeans published?
>
> Others might have examples of how it was done in the past. Making a fork on 
> e.g. github with a new non-apache name is the simplest way.
>
> However if I understand it correct your intention is only to maintain 
> XMLbeans for the benefit of POI. That gives you (as I see it) another option, 
> you can include the source code in your project and do the patches as part of 
> your project.

I think it would need to be in a different package to avoid possible
confusion with the original.
And it should be obvious that it is not intended for external use.

e.g. org.apache.poi.internal.xmlbeans

> rgds
> jan i
>>
>>
>> Thanks... Dominik
>>
>> On behalf of the Apache POI PMC
>>
>>
>> About Apache POI
>> ---
>>
>> Apache POI is well-known in the Java field as a library for reading and
>> writing Microsoft Office file formats, such as Excel, PowerPoint, Word,
>> Visio, Publisher and Outlook. It supports both the older (OLE2) and
>> new (OOXML - Office Open XML) formats.
>>
>> See https://poi.apache.org/ for more details

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Re: Apache POI 3.15 released

[sebb]

What is the project about? Why should I be interested in it?
[rhetorical questions]

The Announce emails are sent to people not on the developer or user lists.
Most will have no idea what the project is about.

So the e-mails should contain at least brief details of what the
product does, and some info on why the new release might be of
interest to them.

Readers should not have to click the link to find out the basic information
(although of course it is useful to have such links for further detail).

Please can you add that information to future announce mails?

Thanks.

On 21 September 2016 at 23:32, David North  wrote:
> The Apache POI PMC are pleased to announce the release of Apache POI 3.15.
>
> For details of changes in this release, refer to the release notes:
>
> https://www.apache.org/dyn/closer.lua/poi/release/RELEASE-NOTES.txt
>
> Thank you to all our contributors for making this release possible.
>
> Some of us will be at ApacheCon Europe in Seville later in the year; do
> find us there if you have input and suggestions.
>
> On behalf of the Apache POI PMC,
>
> David North

-
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org