Simplify our source releases: .zip, .zip.asc and .zip.sha512

[Markus Weimer <ma...@weimo.de>]

Hi,

our release process has proven to be quite brittle in the presence of
both Windows and UNIX systems. Maybe we can simplify it:

One complication stems from using tar for the source archive. Tar keeps
the permissions, and they don't make much sense on an ACL system like
Windows. We could use ZIP instead, a much simpler format which does not
include any permissions. Other projects release ZIPs (e.g. Subversion
does), and it is widely available on all platforms. It even ships with
Windows and OSX.

Checksums were another source of complication. For one, I'd suggest to
drop MD5, which has been cracked a while ago anyhow. Again, Subversion
could be the model as they only publish the SHA of their releases. SHAs
can also be computed by GPG[0], which we need in the process anyhow.

With these two changes, ZIP and dropping MD5, release managers only need
to install one tool not already on their machine: GPG. Further, it would
simplify the validation of releases greatly.

What do you think? I haven't found this approach to contradict the
incubator release guide[1]. Hence, I assume we'd be OK to do it?

Markus

[0]: http://www.apache.org/dev/release-signing.html#sign-release
[1]: http://incubator.apache.org/guides/releasemanagement.html

RE: Simplify our source releases: .zip, .zip.asc and .zip.sha512

["Julia Wang (QIUHE)" <Qi...@microsoft.com>]

I tried to create zip, asc, sha1 and sha512 files. Verification works fine locally. 

Interesting thing is after I upload the files to web server, and try to download sha512 file, the file type becomes zip file. The file context is still correct if I open it with notepad. The uploaded files are at https://dist.apache.org/repos/dist/dev/incubator/reef/0.11.0-incubating/zip/. You can play around to see if there are any other issues. 

For 0.11.0 release, I would still stay with tar file. 

Thanks,
Julia

-----Original Message-----
From: Markus Weimer [mailto:markus@weimo.de] 
Sent: Wednesday, May 13, 2015 8:59 AM
To: REEF Developers Mailinglist
Subject: Simplify our source releases: .zip, .zip.asc and .zip.sha512

Hi,

our release process has proven to be quite brittle in the presence of both Windows and UNIX systems. Maybe we can simplify it:

One complication stems from using tar for the source archive. Tar keeps the permissions, and they don't make much sense on an ACL system like Windows. We could use ZIP instead, a much simpler format which does not include any permissions. Other projects release ZIPs (e.g. Subversion does), and it is widely available on all platforms. It even ships with Windows and OSX.

Checksums were another source of complication. For one, I'd suggest to drop MD5, which has been cracked a while ago anyhow. Again, Subversion could be the model as they only publish the SHA of their releases. SHAs can also be computed by GPG[0], which we need in the process anyhow.

With these two changes, ZIP and dropping MD5, release managers only need to install one tool not already on their machine: GPG. Further, it would simplify the validation of releases greatly.

What do you think? I haven't found this approach to contradict the incubator release guide[1]. Hence, I assume we'd be OK to do it?

Markus

[0]: http://www.apache.org/dev/release-signing.html#sign-release
[1]: http://incubator.apache.org/guides/releasemanagement.html