You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jdo-dev@db.apache.org by Craig Russell <ap...@gmail.com> on 2021/11/05 15:14:14 UTC

Naming of release candidates

Hi,

I'm afraid I got this wrong. Let's discuss.

The purpose of -rc1 is to allow for multiple iterations of a release, so if changes are made, people know what it is they are voting for. So the file name should change if a new release candidate is made.

But once a successful vote is complete, there should not be another vote. So only the file name should change.

But we have put the -rc1 into the bits. I think that is wrong, and we should put 3.2 into the bits and add -rc1 to the file name. Once a vote is successful, publish the result with a different file name, not different bits.

Craig

Craig L Russell
clr@apache.org

Re: Naming of release candidates

Posted by Tilmann <ti...@gmx.de>.

Hi,

I have some more questions before putting out a RC2.

I played around with SHA512 signing and found the following happening
consistently:

- the "sources-release" gets signed with SHA512. However, all files
(including the .sha512 file!) are signed again with sha1. I don't know
where this happens, the mvn output log only shows signing and uploading
of the SHA512 signed files.
- the "src" files are only ever signed with SHA1.

See:
https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/
https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/
<https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/>


However, there are some interesting statements in the Apache doc
(https://infra.apache.org/publishing-maven-artifacts.html), specifically
section 3:

a) "Don't try to publish |.sha256| or |.sha512| files; Nexus doesn't
handle them.".
    a.1) Does this mean that it is alright/intended that everything is
(also) signed with sha1, i.e. because Nexus will only accept sha1?
    a.2) Is it okay to sign only the "sources-release" with sha512?
            The example in https://maven.apache.org/pom/asf/ refers only
to signing the "source-release" file.

b) "Remove |.md5|s in |dist.apache.org/repos/dist/release/| manually."
   b.1) Does this it is okay to have more files than necessary uploaded
because we can/should remove them afterwards?
          For example, we could also manually remove the signed
signature files, such as
jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1
<https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1>

Best,
Til