You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jdo-dev@db.apache.org by Craig Russell <ap...@gmail.com> on 2021/11/05 15:14:14 UTC
Naming of release candidates
Hi,
I'm afraid I got this wrong. Let's discuss.
The purpose of -rc1 is to allow for multiple iterations of a release, so if changes are made, people know what it is they are voting for. So the file name should change if a new release candidate is made.
But once a successful vote is complete, there should not be another vote. So only the file name should change.
But we have put the -rc1 into the bits. I think that is wrong, and we should put 3.2 into the bits and add -rc1 to the file name. Once a vote is successful, publish the result with a different file name, not different bits.
Craig
Craig L Russell
clr@apache.org
Re: Naming of release candidates
Posted by Tilmann <ti...@gmx.de>.
Hi,
I have some more questions before putting out a RC2.
I played around with SHA512 signing and found the following happening
consistently:
- the "sources-release" gets signed with SHA512. However, all files
(including the .sha512 file!) are signed again with sha1. I don't know
where this happens, the mvn output log only shows signing and uploading
of the SHA512 signed files.
- the "src" files are only ever signed with SHA1.
See:
https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/
https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/
<https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/>
However, there are some interesting statements in the Apache doc
(https://infra.apache.org/publishing-maven-artifacts.html), specifically
section 3:
a) "Don't try to publish |.sha256| or |.sha512| files; Nexus doesn't
handle them.".
a.1) Does this mean that it is alright/intended that everything is
(also) signed with sha1, i.e. because Nexus will only accept sha1?
a.2) Is it okay to sign only the "sources-release" with sha512?
The example in https://maven.apache.org/pom/asf/ refers only
to signing the "source-release" file.
b) "Remove |.md5|s in |dist.apache.org/repos/dist/release/| manually."
b.1) Does this it is okay to have more files than necessary uploaded
because we can/should remove them afterwards?
For example, we could also manually remove the signed
signature files, such as
jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1
<https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1>
Best,
Til