You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jeremy Boynes <jb...@apache.org> on 2013/11/10 00:56:14 UTC

[VOTE] Release Apache Tomcat Standard Taglib 1.2.0

I'd like to release Apache Tomcat Standard Taglib 1.2.0.

This would be the first release in many years, and the first release of an implementation of JSTL 1.2.

Maven Staging Repository:
https://repository.apache.org/content/repositories/orgapachetomcat-110

Source Distribution:
https://repository.apache.org/content/repositories/orgapachetomcat-110/org/apache/taglibs/taglibs-standard/1.2.0/

SVN tag:
https://svn.apache.org/repos/asf/tomcat/taglibs/standard/tags/taglibs-standard-1.2.0 @ r1540426

KEYS: https://svn.apache.org/repos/asf/tomcat/trunk/KEYS

The proposed 1.2.0 release is"
[ ] Broken - do not release
[ ] OK - release as 1.2.0

Thanks
Jeremy

Re: [VOTE] Release Apache Tomcat Standard Taglib 1.2.0

Posted by Rainer Jung <ra...@kippdata.de>.
On 11.11.2013 00:15, Jeremy Boynes wrote:

> I have taken a go at addressing these in trunk and have deployed a SNAPSHOT of that here:
> https://repository.apache.org/content/repositories/snapshots/org/apache/taglibs/taglibs-standard/1.2.1-SNAPSHOT/
> 
> Could you take a look and see if there is anything else?

Looks good to me, seems to be build with 1.7.0_45 now, so javadoc should
be fine now.

> I did update the README files related to building, including use of the apache-release profile:
>   $ mvn -Papache-release install
> to build a local copy of the artifacts.

Thanks a lot, very helpful.

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Standard Taglib 1.2.0

Posted by Jeremy Boynes <jb...@apache.org>.
On Nov 10, 2013, at 11:47 AM, Rainer Jung <ra...@kippdata.de> wrote:

> On 10.11.2013 00:56, Jeremy Boynes wrote:
>> I'd like to release Apache Tomcat Standard Taglib 1.2.0.
>> 
>> This would be the first release in many years, and the first release of an implementation of JSTL 1.2.
>> 
>> Maven Staging Repository:
>> https://repository.apache.org/content/repositories/orgapachetomcat-110
>> 
>> Source Distribution:
>> https://repository.apache.org/content/repositories/orgapachetomcat-110/org/apache/taglibs/taglibs-standard/1.2.0/
>> 
>> SVN tag:
>> https://svn.apache.org/repos/asf/tomcat/taglibs/standard/tags/taglibs-standard-1.2.0 @ r1540426
>> 
>> KEYS: https://svn.apache.org/repos/asf/tomcat/trunk/KEYS
>> 
>> The proposed 1.2.0 release is"
>> [X] Broken - do not release
>> [] OK - release as 1.2.0
> 
> Don't panic, the only show stopper I saw was that likely your javadoc is
> vulnerable for CVE-2013-1571. This should be trivially fixable by
> building/releasing with a more current JDK 7 (anything newer than
> 1.7.0_21, which is exactly the one your were using). Or update to maven
> javadoc plugin 2.9.1. The current tag of the Apache parent pom still
> references 2.9, only trunk is at 2.9.1.
> 
> See:
> 
> http://jira.codehaus.org/browse/MJAVADOC-370
> https://issues.apache.org/jira/browse/MPOM-46
> 
> I have a couple of additional remarks though, all based on a very formal
> test of the release. Most should be trivial to fix, so if you start
> another release cycle, it would be nice to get rid of some of them. I
> haven't actually used the artifacts.

I have taken a go at addressing these in trunk and have deployed a SNAPSHOT of that here:
https://repository.apache.org/content/repositories/snapshots/org/apache/taglibs/taglibs-standard/1.2.1-SNAPSHOT/

Could you take a look and see if there is anything else?
I did update the README files related to building, including use of the apache-release profile:
  $ mvn -Papache-release install
to build a local copy of the artifacts.

Thanks
Jeremy

[WITHDRAWN] [VOTE] Release Apache Tomcat Standard Taglib 1.2.0

Posted by Jeremy Boynes <jb...@apache.org>.
On Nov 10, 2013, at 11:47 AM, Rainer Jung <ra...@kippdata.de> wrote:

> On 10.11.2013 00:56, Jeremy Boynes wrote:
>> I'd like to release Apache Tomcat Standard Taglib 1.2.0.
>> 
>> This would be the first release in many years, and the first release of an implementation of JSTL 1.2.
>> 
>> Maven Staging Repository:
>> https://repository.apache.org/content/repositories/orgapachetomcat-110
>> 
>> Source Distribution:
>> https://repository.apache.org/content/repositories/orgapachetomcat-110/org/apache/taglibs/taglibs-standard/1.2.0/
>> 
>> SVN tag:
>> https://svn.apache.org/repos/asf/tomcat/taglibs/standard/tags/taglibs-standard-1.2.0 @ r1540426
>> 
>> KEYS: https://svn.apache.org/repos/asf/tomcat/trunk/KEYS
>> 
>> The proposed 1.2.0 release is"
>> [X] Broken - do not release
>> [] OK - release as 1.2.0

I'm withdrawing the 1.2.0 release and have dropped the staging repository. I plan to leave the SVN tag as the blocking issue was due to the build process (using an old JDK) and the other issues related to documentation (including how to build/use the distribution) rather than the implementation.

I have uploaded a new SNAPSHOT from r1541106 to 
  https://repository.apache.org/content/repositories/snapshots/org/apache/taglibs/taglibs-standard/1.2.1-SNAPSHOT/
as a candidate for a 1.2.1 release. I used the apache-release profile so, except for the version, this should mimic the actual release that would be produced and I would appreciate if other eyes could take a look before I tag 1.2.1 later this week.

Thanks
Jeremy

Re: [VOTE] Release Apache Tomcat Standard Taglib 1.2.0

Posted by Rainer Jung <ra...@kippdata.de>.
On 10.11.2013 00:56, Jeremy Boynes wrote:
> I'd like to release Apache Tomcat Standard Taglib 1.2.0.
> 
> This would be the first release in many years, and the first release of an implementation of JSTL 1.2.
> 
> Maven Staging Repository:
> https://repository.apache.org/content/repositories/orgapachetomcat-110
> 
> Source Distribution:
> https://repository.apache.org/content/repositories/orgapachetomcat-110/org/apache/taglibs/taglibs-standard/1.2.0/
> 
> SVN tag:
> https://svn.apache.org/repos/asf/tomcat/taglibs/standard/tags/taglibs-standard-1.2.0 @ r1540426
> 
> KEYS: https://svn.apache.org/repos/asf/tomcat/trunk/KEYS
> 
> The proposed 1.2.0 release is"
> [X] Broken - do not release
> [] OK - release as 1.2.0

Don't panic, the only show stopper I saw was that likely your javadoc is
vulnerable for CVE-2013-1571. This should be trivially fixable by
building/releasing with a more current JDK 7 (anything newer than
1.7.0_21, which is exactly the one your were using). Or update to maven
javadoc plugin 2.9.1. The current tag of the Apache parent pom still
references 2.9, only trunk is at 2.9.1.

See:

http://jira.codehaus.org/browse/MJAVADOC-370
https://issues.apache.org/jira/browse/MPOM-46

I have a couple of additional remarks though, all based on a very formal
test of the release. Most should be trivial to fix, so if you start
another release cycle, it would be nice to get rid of some of them. I
haven't actually used the artefacts.

Overview:

- MD5 and SHA1 OK
- signatures OK
- key in KEYS file
- src zip consistent with svn tag
- builds fine
- build result looks consistent with binaries
  - some exceptions, see below
- no checkstyle complaints
- no Javadoc warnings
- No unit test failures

Build and tests were done using Maven 2.2.1 and Java 1.7.0_45.
OS was Solaris 10 Sparc.

Room for improvement:


- main pom.xml contains a snippet:

<distributionManagement>
  <site>
    <id>apache.website</id>
    <name>Apache Website</name>

<url>scpexe://people.apache.org/www/tomcat.apache.org/taglibs/standard-${project.version}/</url>
  </site>
</distributionManagement>

Is it correct to publish a people.apache.org URL here?


- Building

README_src.txt tells us to run

    $ mvn install   <-- builds all targets and installs in local repository
    $ mvn clean     <-- removes all build artifacts
    $ mvn release   <-- builds all targets and releases to staging repo

but I get an error for "mvn release":

Invalid task 'release': you must specify a valid lifecycle phase, or a
goal in the format plugin:goal or
pluginGroupId:pluginArtifactId:pluginVersion:goal

I actually wasn't able to recreate the release including zip and hash files.

Using "mvn install" and then also "mvn source:jar" and "mvn javadoc:jar"
I could recreate the jar files though.

It would be nice to document how to create the release zip.


- README_src.txt

Contains: "There are four sub-modules: ...", the 5th module
"build-tools" is not mentioned.


- README_src.txt starts with

---------------------------------------------------------------------------
Apache Standard Tag Library 1.2 -- SOURCE DISTRIBUTION
---------------------------------------------------------------------------

but README_bin.txt with

---------------------------------------------------------------------------
Standard Tag Library 1.1 -- BINARY DISTRIBUTION
---------------------------------------------------------------------------

different name and version.


- README_bin.txt

The section "COMPATIBILITY" tells us:

"The 1.1 version of the Standard Taglib has been tested under Tomcat
5.0.3 and should work in any compliant JSP 2.0 container."

Should we update to something like "tested under Tomcat 6, 7 and 8" - if
it were true? And we are now at 1.2 instead of 1.1.


- README_bin.txt

"LIBRARY DEPENDENCIES" talks about Java 1.4.2, although Java is needed.
The convenience directory lib/old-dependencies is mentioned, although it
doesn't seem to exist.

It seems the whole section should be reviewed in light of the updated
requirements and release process.

It also mentions several times the non longer existing URL
http://java.sun.com/products/jwsdp.

Finally the section talks about "WAR Files" standard-doc.war and
standard-examples.war which I didn't manage to create and are not in the
repo.


- NOTICE

Contains somewhat inconsistent project names:

Apache Tomcat Standard Taglib
Apache Standard Taglib
Apache Standard Taglib 1.0 Compatibility
Apache Standard Taglib 1.0 EL Support
Apache Standard Taglib Build Tools
Apache Standard Taglib Implementation
Apache Standard Taglib Specification API

Only the top level one contains the name part "Tomcat". I don't know,
which name is right, but it seems inconsistent.


- DEPENDENCIES

Similar to NOTICE, if the names get changed, should change here to:

Apache Standard Taglib
Apache Standard Taglib 1.0 Compatibility
Apache Standard Taglib 1.0 EL Support
Apache Standard Taglib Build Tools
Apache Standard Taglib Implementation
Apache Standard Taglib Specification API

and

  - Apache Standard Taglib Implementation
(http://tomcat.apache.org/taglibs/standard-1.2.0/taglibs-standard-impl)
org.apache.taglibs:taglibs-standard-impl:bundle:1.2.0
  - Apache Standard Taglib Specification API
(http://tomcat.apache.org/taglibs/standard-1.2.0/taglibs-standard-spec)
org.apache.taglibs:taglibs-standard-spec:bundle:1.2.0


- Servlet 2.4 vs. 2.5

README_bin.txt and standard-test/src/main/webapp/WEB-INF/web.xml refer
to servlet 2.4, but the pom files and src/site/xdoc/index.xml refer to
Servlet 2.5.


- changes.xml:

Contains

<release version="1.2.0" date="Unreleased" description="JSTL 1.2
implementation in the making"/>

Should that be adjusted pre-release?


- Comparing my build with your build

  - I can't create the zip file
  - I can't create the war file(s)
  - the created jars do not contain NOTICE, LICENSE and DEPENDENCIES
files in META-INF. They are there in the original release artefact jars
though.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Standard Taglib 1.2.0

Posted by Jeremy Boynes <jb...@apache.org>.
On Nov 9, 2013, at 3:56 PM Jeremy Boynes <jb...@apache.org> wrote:

> I'd like to release Apache Tomcat Standard Taglib 1.2.0.
> 
> The proposed 1.2.0 release is"
> [ ] Broken - do not release

> [X] OK - release as 1.2.0 (non-binding)


RAT report looked OK.
JSTL 1.2 TCK passed (run on Mac OSX 10.8.5, Java 1.6.0_65, Apache Tomcat 7.0.47)

Thanks
Jeremy