You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by "Marshall Schor (JIRA)" <de...@uima.apache.org> on 2018/10/05 20:18:00 UTC
[jira] [Commented] (UIMA-5876) update uima-wide parent-pom
[ https://issues.apache.org/jira/browse/UIMA-5876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16640301#comment-16640301 ]
Marshall Schor commented on UIMA-5876:
--------------------------------------
after much experimentation, I have an approach for gpg / sha512 signing / checksumming and putting results into /target and .m2 (via deploy), which seems to work.
But, it requires fixes to 2 maven plugins: the maven-gpg-plugin ( see MGPG-66 ) and the checksum-maven-plugin ( see [https://github.com/nicoulaj/checksum-maven-plugin/issues/63] ).
The gpg-plugin fix is minor: it needs to exclude signing things that match it's excludes configuration. Not fixing this means that the checksums get signed and deployed as well as the artifacts.
The checksum-maven-plugin has 2 fixes.
The first is to have the "artifacts" goal include the "pom" - it was missing this, because (for some internal reason) the pom doesn't show up on the list of attached artifacts.
The 2nd is to have the checksum artifacts's coordinates for deploying have a type made from the last part of the file name before the .sha512, concatenated with ".sha512". Example: the xxx-sources.jar gets a type of "jar.sha512". This allows the file to be put into the deploy repo with the name xxx-sources.jar.sha512. See details in issue 63.
I'm not sure how to incorporate these plugin changes in a way we can use them.
Running with Ant instead is something we could do until these get officially fixed. But it has issues: Ideally, we want to sign/checksum the main artifact + all the attached artifacts & pom. The gpg plugin does this. But to get the sha512 checksums done with Ant would take specifying every file that needed this, manually (beyond the pom, which could be part of the uima-wide parent). For example, uimaj-core needs this for
- jar (the main artifact)
- javadoc.jar
- sources.jar (note: this is different than source-release.zip... it is just the java-sources, fetched automatically by some IDEs)
The spec of these things would be used in 2 places: one for the ant checksum task, and one for the build-helper-maven-plugin, used for the attach goal, to attach the results so they get deployed into .m2 etc.
That's messy, and seems to affect potentially many projects, so it's much nicer to have working gpg / checksum maven plugins :)
> update uima-wide parent-pom
> ---------------------------
>
> Key: UIMA-5876
> URL: https://issues.apache.org/jira/browse/UIMA-5876
> Project: UIMA
> Issue Type: Improvement
> Components: Build, Packaging and Test
> Affects Versions: parent-pom-11
> Reporter: Marshall Schor
> Assignee: Marshall Schor
> Priority: Minor
> Fix For: parent-pom-12
>
>
> Additional updates beyond UIMA-5856. Remove redundant/outdated versioning now provided by current apache-wide parent-pom (21). add common configuration for api change report.
> Attempts to use the checksum-maven-plugin reveal that it doesn't work correctly, see [https://github.com/nicoulaj/checksum-maven-plugin/issues/63] ). Design a work-around that uses Ant scripts, and insure it works both for maven-deploy targets (e.g. .m2) and for normal apache distribution targets (e.g. project/target ).
> Due to bug in the current implementation of the maven-gpg-plugin ( MGPG-66 ), the gpg plugin needs to be run before doing the .sha512 checksumming (otherwise the checksums also get signed).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)