Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
Hi, As I understood, the Vote should be cancelled as only Musachy gave positive answer. I'm not a PMC so my vote doesn't cunt at the end. Am I right? Or should I wait? Regards -- Lukasz http://www.lenart.org.pl/ - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 4:57 AM, Lukasz Lenart wrote: > As I understood, the Vote should be cancelled as only Musachy gave > positive answer. I'm not a PMC so my vote doesn't count at the end. Am > I right? Or should I wait? I just re-checked and there are still no .asc signature files in the staging repo, so this cannot be released as-is. If you can provide the signatures [1], you can keep the vote open and collect the other two votes from PMC members. Otherwise, it's probably far easier to clear out the staging repo, figure out what went wrong with signatures during the release, and try again with 2.1.8.2 (or whatever version makes sense.) [1] from files that have not been out of your control -- if you would have to download the jars and poms now to sign them, that's really not recommended. -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
2010/1/5 Wendy Smoak : > I just re-checked and there are still no .asc signature files in the > staging repo, so this cannot be released as-is. I found the problem - .asc files were only generated for struts2-archetype-plugin and struts2-archetype-starter. The reset is missing below entry in pom.xml - I have no idea how it was before released :D Nevertheless, is it possible to generate only .asc files? release org.apache.maven.plugins maven-gpg-plugin sign-artifacts verify sign Regards -- Lukasz http://www.lenart.org.pl/ http://javarsovia.pl - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 1:06 PM, Lukasz Lenart wrote: > 2010/1/5 Wendy Smoak : >> I just re-checked and there are still no .asc signature files in the >> staging repo, so this cannot be released as-is. > > I found the problem - .asc files were only generated for > struts2-archetype-plugin and struts2-archetype-starter. The reset is > missing below entry in pom.xml - I have no idea how it was before > released :D > > Nevertheless, is it possible to generate only .asc files? I've never tried to do it after the fact with the plugin, I'm not sure what would happen. If you still have the jars and poms from the release on a secure machine, and you know they have not been out of your control, then you can sign them manually and upload only the .asc files to the repo. To sign a single file, it's $ gpg --armor --output foo.tar.gz.asc --detach-sig foo.tar.gz That's from http://wiki.wsmoak.net/cgi-bin/wiki.pl?ReleaseSigning . I had it scripted at one point to sign a sub-tree of the local repo. It's probably somewhere on my wiki. Only the artifacts, in this case the the .jar and .pom files, need to be signed. The gpg plugin goes overboard and signs the checksums, which is not necessary. If you have cleared your local repo since the release, or would otherwise have to download the jars and poms from somewhere else, then you shouldn't sign them because you don't know what's happened to the files since they were created. -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
you can download the files from the repo and sign it/generate checksums..but!..this happened before and there was a long discussion over if it was right or not and so on. You can either: 1. sign the files/generate checksums locally and upload them 2. do the release again I'd say #1, considering how few people we have to test a new release, and it takes a while to test (yeah I went and generated a project one by one and ran it in jetty) musachy On Tue, Jan 5, 2010 at 12:06 PM, Lukasz Lenart wrote: > 2010/1/5 Wendy Smoak : >> I just re-checked and there are still no .asc signature files in the >> staging repo, so this cannot be released as-is. > > I found the problem - .asc files were only generated for > struts2-archetype-plugin and struts2-archetype-starter. The reset is > missing below entry in pom.xml - I have no idea how it was before > released :D > > Nevertheless, is it possible to generate only .asc files? > > > > release > > > > org.apache.maven.plugins > maven-gpg-plugin > > > sign-artifacts > verify > > sign > > > > > > > > > > > > Regards > -- > Lukasz > http://www.lenart.org.pl/ > http://javarsovia.pl > > - > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 12:18 PM, Musachy Barroso wrote: > you can download the files from the repo and sign it/generate > checksums..but!..this happened before and there was a long discussion > over if it was right or not and so on. Do not do this. If you download the files, you have no way of knowing if they are the same ones you put there. They could have been corrupted, deliberately or otherwise, in the interim, and without signatures you cannot verify what you have (which is why we want the signatures in the first place). When you then sign those downloaded files, you could be signing anything. Think of it as signing a blank check and then giving that check to a stranger. Not something you want to be doing. -- Martin Cooper > You can either: > > 1. sign the files/generate checksums locally and upload them > 2. do the release again > > I'd say #1, considering how few people we have to test a new release, > and it takes a while to test (yeah I went and generated a project one > by one and ran it in jetty) > > musachy > > On Tue, Jan 5, 2010 at 12:06 PM, Lukasz Lenart > wrote: >> 2010/1/5 Wendy Smoak : >>> I just re-checked and there are still no .asc signature files in the >>> staging repo, so this cannot be released as-is. >> >> I found the problem - .asc files were only generated for >> struts2-archetype-plugin and struts2-archetype-starter. The reset is >> missing below entry in pom.xml - I have no idea how it was before >> released :D >> >> Nevertheless, is it possible to generate only .asc files? >> >> >> >> release >> >> >> >> org.apache.maven.plugins >> maven-gpg-plugin >> >> >> sign-artifacts >> verify >> >> sign >> >> >> >> >> >> >> >> >> >> >> >> Regards >> -- >> Lukasz >> http://www.lenart.org.pl/ >> http://javarsovia.pl >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> >> > > - > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
2010/1/5 Martin Cooper : > Do not do this. If you download the files, you have no way of knowing > if they are the same ones you put there. They could have been > corrupted, deliberately or otherwise, in the interim, and without > signatures you cannot verify what you have (which is why we want the > signatures in the first place). When you then sign those downloaded > files, you could be signing anything. Think of it as signing a blank > check and then giving that check to a stranger. Not something you want > to be doing. I still have copy of those files, so I don't have to download them. I will sign them, generate hashes and upload to repo. Regards -- Lukasz http://www.lenart.org.pl/ http://javarsovia.pl - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 3:43 PM, Martin Cooper wrote: [snip] > ... If you download the files, you have no way of knowing > if they are the same ones you put there... No way of knowing... except the checksums :) -Wes -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 12:53 PM, Wes Wannemacher wrote: > On Tue, Jan 5, 2010 at 3:43 PM, Martin Cooper wrote: > [snip] >> ... If you download the files, you have no way of knowing >> if they are the same ones you put there... > > No way of knowing... except the checksums :) You mean the checksums that you download from the same potentially-corrupted server? Good plan! :-p Anyway, good that Lukasz still has the original files. -- Martin Cooper > -Wes > > -- > Wes Wannemacher > > Head Engineer, WanTii, Inc. > Need Training? Struts, Spring, Maven, Tomcat... > Ask me for a quote! > > - > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
On Tue, Jan 5, 2010 at 3:57 PM, Martin Cooper wrote: > > You mean the checksums that you download from the same > potentially-corrupted server? Good plan! :-p > No, I mean the checksums sitting on your own hard drive right next to the rest of the files generated during the release process. I guess I am assuming that he didn't delete the folder where he did the release. If the checksums match his jars, and the checksums on the server, it is improbable that the jars are compromised. -Wes -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: [VOTE] Release Struts 2 Maven Archetypes v2.1.8.1
Wendy Could you check struts2-archetype-portlet? http://people.apache.org/builds/struts/2.1.8.1/m2-staging-repository/org/apache/struts/struts2-archetype-portlet/2.1.8.1/ Thanks in advance -- Lukasz http://www.lenart.org.pl/ http://javarsovia.pl - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
Re: XWork has landed!
2009/12/28 Paul Benedict : > My fault for not being clear. I was intending to say XWork should be a > "child module" (in the Maven sense) so it's actually part of Struts2 > build and versioning process. Any news? I would like to start some refactoring in Xwork and it will be nice to know where we are ;-) Regards -- Lukasz http://www.lenart.org.pl/ http://javarsovia.pl - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
