Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

It appears that Maven artefact publishing has been moved from people.a.o
(that all the release scripts are written to use) to using Nexus. See [1]

I have a number of issues with this:

1. There was zero discussion of this on the dev list.

2. Maven publishing for snapshots, release candidates and releases is
now broken as the release scripts have not been updated as it appears is
required. [2]

Jean-Frederic, please explain ASAP what on earth is going on here.
Decisions such as this must happen on list *before* they are actioned.

Right now, I am a few mouse clicks away from requesting that the
infrastructure team revert this change.

Mark


[1] https://issues.apache.org/jira/browse/INFRA-4162
[2] http://www.apache.org/dev/publishing-maven-artifacts.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

On 16/12/2011 19:38, sebb wrote:
> On 16 December 2011 16:15, Mark Thomas <ma...@apache.org> wrote:
>> On 16/12/2011 16:06, Antonio Petrelli wrote:
>>> Please Mark calm down.
>>
>> No, I will not calm down. The release process has been changed without
>> prior discussion and on top of that it is now broken for Maven
>> artefacts. That is not acceptable.
>>
>>> Being possible to deploy to Nexus does not mean that the project is
>>> configured to do that.
>>
>> Exactly. Tomcat has been using scp+rsync via people.a.o for several
>> years. That process has been broken by the switch to Nexus.
>>
>>> To enable this, you need to configure the needed POM
>>> metadata (SCM, website) and let the master POM of Tomcat be child of the
>>> Apache Master pom.
>>> Even if you have done this steps, if you are not using the Maven release
>>> plugin, it does not work. AFAICT you should be able to (temporarily, for
>>> good) deploy to people.a.o.
>>
>> The whole point is that we can no longer release via people.a.o because
>> of the switch to Nexus. It has been made quite clear that a project can
>> use either Nexus or people.a.o but not both. For Tomcat to use Nexus,
>> the Tomcat release scripts need to be updated and they have not been.
> 
> That's not how Nexus is being used in Commons - but I don't know what
> has been set up here, so perhaps the following is not applicable:

It isn't. We are talking about the release process for Maven artefacts.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[sebb <se...@gmail.com>]

On 16 December 2011 16:15, Mark Thomas <ma...@apache.org> wrote:
> On 16/12/2011 16:06, Antonio Petrelli wrote:
>> Please Mark calm down.
>
> No, I will not calm down. The release process has been changed without
> prior discussion and on top of that it is now broken for Maven
> artefacts. That is not acceptable.
>
>> Being possible to deploy to Nexus does not mean that the project is
>> configured to do that.
>
> Exactly. Tomcat has been using scp+rsync via people.a.o for several
> years. That process has been broken by the switch to Nexus.
>
>> To enable this, you need to configure the needed POM
>> metadata (SCM, website) and let the master POM of Tomcat be child of the
>> Apache Master pom.
>> Even if you have done this steps, if you are not using the Maven release
>> plugin, it does not work. AFAICT you should be able to (temporarily, for
>> good) deploy to people.a.o.
>
> The whole point is that we can no longer release via people.a.o because
> of the switch to Nexus. It has been made quite clear that a project can
> use either Nexus or people.a.o but not both. For Tomcat to use Nexus,
> the Tomcat release scripts need to be updated and they have not been.

That's not how Nexus is being used in Commons - but I don't know what
has been set up here, so perhaps the following is not applicable:

Nexus (as used by Commons/HttpClient) intercepts uploads to the Maven
distribution repo on people.
Instead of Maven artifacts being automatically synched with Maven
Central, Nexus stores them in a staging repo.
This must be checked and closed to new updates; it's then available to
the general public to as part of the VOTE.
If the vote succeeds, the staging repo can be released, otherwise it
is dropped. Once released, the artifacts make their way to Maven
Central as before.

Nexus does *not* change the process for non-Maven artifacts (which are
the main Tomcat release mechanism).
However once enabled for a project, the protection on the maven
distribution repo is changed so only Nexus can update it.

The benefit is that it is impossible to accidentally release Maven
artifacts using "mvn deploy" or whatever; and there is staging area
which can be used for votes.
It also checks sigs and generates hashes if necessary. It guarantees
that the voted on artifacts are the ones that are released.
The disadvantage is that one has to login to Nexus twice: to close the
staging area, and then to release or drop it at the end of the vote.

But this does not change how non-Maven artifacts are released.

>> Antonio
>>
>> P.S. Your project is a mess to be a Maven project. If you *really* want to
>> move to Maven you need to do a major reconstruction of the directory
>> structure.
>
> There are no plans to move Tomcat to use Maven for building. This is
> purely about providing the Tomcat JARs as Maven artefacts in Maven
> Central for others to use as they wish.
>
> Mark
>
>>
>> 2011/12/16 Mark Thomas <ma...@apache.org>
>>
>>> On 16/12/2011 15:43, jean-frederic clere wrote:
>>>> On 12/16/2011 04:20 PM, Mark Thomas wrote:
>>>>> It appears that Maven artefact publishing has been moved from people.a.o
>>>>> (that all the release scripts are written to use) to using Nexus. See
>>> [1]
>>>>>
>>>>> I have a number of issues with this:
>>>>>
>>>>> 1. There was zero discussion of this on the dev list.
>>>>>
>>>>> 2. Maven publishing for snapshots, release candidates and releases is
>>>>> now broken as the release scripts have not been updated as it appears is
>>>>> required. [2]
>>>>>
>>>>> Jean-Frederic, please explain ASAP what on earth is going on here.
>>>>> Decisions such as this must happen on list *before* they are actioned.
>>>>
>>>> I understood it only affects the release process...
>>>
>>> So what? Releasing software is why this community exists. Any changes to
>>> that process need to be agreed by the community first.
>>>
>>>> If that is wrong
>>>> that I screwed it, Sorry
>>>
>>> Before this change, we could release artefacts to Maven Central.
>>>
>>> After this change, we are unable to release artefacts to Maven Central
>>> since that part of the release process now needs re-writing.
>>>
>>> That is not acceptable. If there were an security issue that required an
>>> immediate release Maven users at best would get the artefacts late or at
>>> worst not at all.
>>>
>>> An apology is a good start but the stuff you have just broken needs
>>> fixing. At the moment, I see two possible fixes.
>>>
>>> 1. Update the release scripts so we can release artefacts to Maven using
>>> the new process.
>>> 2. Revert the change to use Nexus and return to scp+rsync.
>>>
>>> If you don't do 1. (pretty much immediately), I intend to request that
>>> the infra team does 2.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[jean-frederic clere <jf...@gmail.com>]

On 12/16/2011 11:02 PM, Mark Thomas wrote:
> The good news is that Jean-Frederic has indicated via private e-mail
> that he will be fixing the build scripts to use Nexus tomorrow. I would
> like to see him confirm that on this list but I have no reason to doubt
> his word. A quick read of [2] suggests that it should be do-able in that
> timeframe.

I am working on it.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

On 16/12/2011 20:21, Antonio Petrelli wrote:
> 2011/12/16 Mark Thomas <ma...@apache.org>
> 
>> On 16/12/2011 16:06, Antonio Petrelli wrote:
>>> Please Mark calm down.
>>
>> No, I will not calm down. The release process has been changed without
>> prior discussion and on top of that it is now broken for Maven
>> artefacts. That is not acceptable.
>>
> 
> 
> Mark, everything's right,

No it isn't. If everything was alright, there would have been no need to
start this thread.

> good boy :-D

I'm going to ignore that patronizing remark.

> First of all, did you try to release something and it went wrong?

No I didn't. However, as a member of the ASF infrastructure team I know
enough about how Nexus is configured to know that due to [1] releasing
Maven artefacts via scp+rsync using people.a.o is now blocked. All of
the Tomcat build scripts are written to release JARs files to Maven
Central via scp+rsync via people.a.o. Because of the switch to Nexus,
the publishing to Maven Central part of the build process is currently
broken.

> If not, remember that changes might be rolled back at any time (though,
> sincerely, I don't see why, especially if you did not see a problem).

This is not a simple change to a build script in svn. Ultimately
anything can be reverted but reverting the switch to Nexus looks to be
non-trivial. As an example, the entire tomcat section of the repo on
people.a.o has been removed and would have to be reconstructed. That is
far more work than a simple svn revert. I am sure that other changes
have also been made. I do not know how much reverting all of them may
entail.

To re-iterate I do see a problem. The build scripts are all written to
use scp+rsync via people.a.o but releases via that route is now blocked.

The good news is that Jean-Frederic has indicated via private e-mail
that he will be fixing the build scripts to use Nexus tomorrow. I would
like to see him confirm that on this list but I have no reason to doubt
his word. A quick read of [2] suggests that it should be do-able in that
timeframe.

> And anyway, your attitude against Jean Frederic is unacceptable, in this
> cases you should remind that:

There we disagree. I think that Jean-Frederic's decision to go ahead
with [1] without community discussion was the wrong decision. That the
release of Tomcat artefacts to Maven Central is now broken makes things
worse.

> * Apache is a community driven foundation,

Exactly. Which is why one individual making technical decisions that
affect a project's release process without prior community discussion is
wrong. To repeat what has been said many times before at the ASF "If it
didn't happen on the mailing list then it didn't happen" and there was
no discussion of this change on the mailing list.

If the discussion had taken place on the dev list, the issues around the
current build scripts would have been identified and addressed and, for
example, we could have co-ordinated the switch to Nexus with the
necessary changes to the build scripts.

And if we hadn't identified the issues then this would be a community
screw-up that we could all share responsibility for.

You'll note that I have started a separate thread to discuss the
relative merits of Nexus vs scp+rsync. If you are aware of anything that
would indicate one is a better choice than the other for Tomcat then
please do contribute to that thread.

> not a private firm that will lose money if the build does not work.

I agree this has nothing to do with money. It has everything to do with
community. Part of the Tomcat community relies on obtaining the Tomcat
JARs from Maven Central. Based on how quickly questions get asked if I
forget to run the Maven artefacts part of the release process once a
Tomcat 7 release vote has passed, I would guess that a sizable part of
our community depends on those JARs. A direct consequence of this change
is that we are currently unable to make releases to that part of our
community.

Currently we have no plans for a release but it only takes one critical
security vulnerability report to change that.

> * I think that you should recall the basic rules of personal relationship.
> Jean Frederic is a person, attacking him this way is *bad*.

If someone screws up, I am going to call them on it. If I screw-up (and
I do regularly - check the archives for the long list of stuff I have
managed to break over the years) I expect to get called on it.

Doing things without any on-list discussion is a huge no-no at the ASF.
I would agree my response was a strong one but I wouldn't characterise
it as a personal attack (Jean-Frederic if you read any of my comments
were read that way I apologise - that wasn't my intention).

> He probably made a mistake, however there are many ways to tell things, most of them
> are kind.

Everything is relative. I would say this thread was pretty mild compared
to others I have seen both on this list an elsewhere at the ASF. Could
it have been milder? Sure. But when I see such a fundamental part of
"The Apache Way" - all technical decisions are made on list - being
forgotten it is very difficult not to react strongly. Believe it or not,
the first draft of my e-mail that started this thread was a lot stronger
and threw around phrases like "-1 veto" that on reflection I decided to
tone down.

Mark

> 
> Best regards
> Antonio
> 

[1] https://issues.apache.org/jira/browse/INFRA-4162
[2] http://www.apache.org/dev/publishing-maven-artifacts.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[Antonio Petrelli <an...@gmail.com>]

2011/12/16 Mark Thomas <ma...@apache.org>

> On 16/12/2011 16:06, Antonio Petrelli wrote:
> > Please Mark calm down.
>
> No, I will not calm down. The release process has been changed without
> prior discussion and on top of that it is now broken for Maven
> artefacts. That is not acceptable.
>


Mark, everything's right, good boy :-D
First of all, did you try to release something and it went wrong?
If not, remember that changes might be rolled back at any time (though,
sincerely, I don't see why, especially if you did not see a problem).
And anyway, your attitude against Jean Frederic is unacceptable, in this
cases you should remind that:
* Apache is a community driven foundation, not a private firm that will
lose money if the build does not work.
* I think that you should recall the basic rules of personal relationship.
Jean Frederic is a person, attacking him this way is *bad*. He probably
made a mistake, however there are many ways to tell things, most of them
are kind.

Best regards
Antonio

Re: Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

On 16/12/2011 16:15, Mark Thomas wrote:
> On 16/12/2011 16:06, Antonio Petrelli wrote:
>> Please Mark calm down.
> 
> No, I will not calm down. The release process has been changed without
> prior discussion and on top of that it is now broken for Maven
> artefacts. That is not acceptable.
> 
>> Being possible to deploy to Nexus does not mean that the project is
>> configured to do that.
> 
> Exactly. Tomcat has been using scp+rsync via people.a.o for several
> years. That process has been broken by the switch to Nexus.

Jean-Frederic has informed me (via private e-mail) that he intends to
fix this tomorrow.

Despite that this change has already been made, I would like to see a
discussion on whether or not switching to Nexus is in the best interests
of the Tomcat project. I'll start a separate thread for that.

Mark


> 
>> To enable this, you need to configure the needed POM
>> metadata (SCM, website) and let the master POM of Tomcat be child of the
>> Apache Master pom.
>> Even if you have done this steps, if you are not using the Maven release
>> plugin, it does not work. AFAICT you should be able to (temporarily, for
>> good) deploy to people.a.o.
> 
> The whole point is that we can no longer release via people.a.o because
> of the switch to Nexus. It has been made quite clear that a project can
> use either Nexus or people.a.o but not both. For Tomcat to use Nexus,
> the Tomcat release scripts need to be updated and they have not been.
> 
>> Antonio
>>
>> P.S. Your project is a mess to be a Maven project. If you *really* want to
>> move to Maven you need to do a major reconstruction of the directory
>> structure.
> 
> There are no plans to move Tomcat to use Maven for building. This is
> purely about providing the Tomcat JARs as Maven artefacts in Maven
> Central for others to use as they wish.
> 
> Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

On 16/12/2011 16:06, Antonio Petrelli wrote:
> Please Mark calm down.

No, I will not calm down. The release process has been changed without
prior discussion and on top of that it is now broken for Maven
artefacts. That is not acceptable.

> Being possible to deploy to Nexus does not mean that the project is
> configured to do that.

Exactly. Tomcat has been using scp+rsync via people.a.o for several
years. That process has been broken by the switch to Nexus.

> To enable this, you need to configure the needed POM
> metadata (SCM, website) and let the master POM of Tomcat be child of the
> Apache Master pom.
> Even if you have done this steps, if you are not using the Maven release
> plugin, it does not work. AFAICT you should be able to (temporarily, for
> good) deploy to people.a.o.

The whole point is that we can no longer release via people.a.o because
of the switch to Nexus. It has been made quite clear that a project can
use either Nexus or people.a.o but not both. For Tomcat to use Nexus,
the Tomcat release scripts need to be updated and they have not been.

> Antonio
> 
> P.S. Your project is a mess to be a Maven project. If you *really* want to
> move to Maven you need to do a major reconstruction of the directory
> structure.

There are no plans to move Tomcat to use Maven for building. This is
purely about providing the Tomcat JARs as Maven artefacts in Maven
Central for others to use as they wish.

Mark

> 
> 2011/12/16 Mark Thomas <ma...@apache.org>
> 
>> On 16/12/2011 15:43, jean-frederic clere wrote:
>>> On 12/16/2011 04:20 PM, Mark Thomas wrote:
>>>> It appears that Maven artefact publishing has been moved from people.a.o
>>>> (that all the release scripts are written to use) to using Nexus. See
>> [1]
>>>>
>>>> I have a number of issues with this:
>>>>
>>>> 1. There was zero discussion of this on the dev list.
>>>>
>>>> 2. Maven publishing for snapshots, release candidates and releases is
>>>> now broken as the release scripts have not been updated as it appears is
>>>> required. [2]
>>>>
>>>> Jean-Frederic, please explain ASAP what on earth is going on here.
>>>> Decisions such as this must happen on list *before* they are actioned.
>>>
>>> I understood it only affects the release process...
>>
>> So what? Releasing software is why this community exists. Any changes to
>> that process need to be agreed by the community first.
>>
>>> If that is wrong
>>> that I screwed it, Sorry
>>
>> Before this change, we could release artefacts to Maven Central.
>>
>> After this change, we are unable to release artefacts to Maven Central
>> since that part of the release process now needs re-writing.
>>
>> That is not acceptable. If there were an security issue that required an
>> immediate release Maven users at best would get the artefacts late or at
>> worst not at all.
>>
>> An apology is a good start but the stuff you have just broken needs
>> fixing. At the moment, I see two possible fixes.
>>
>> 1. Update the release scripts so we can release artefacts to Maven using
>> the new process.
>> 2. Revert the change to use Nexus and return to scp+rsync.
>>
>> If you don't do 1. (pretty much immediately), I intend to request that
>> the infra team does 2.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[Antonio Petrelli <an...@gmail.com>]

Please Mark calm down.
Being possible to deploy to Nexus does not mean that the project is
configured to do that. To enable this, you need to configure the needed POM
metadata (SCM, website) and let the master POM of Tomcat be child of the
Apache Master pom.
Even if you have done this steps, if you are not using the Maven release
plugin, it does not work. AFAICT you should be able to (temporarily, for
good) deploy to people.a.o.

Antonio

P.S. Your project is a mess to be a Maven project. If you *really* want to
move to Maven you need to do a major reconstruction of the directory
structure.

2011/12/16 Mark Thomas <ma...@apache.org>

> On 16/12/2011 15:43, jean-frederic clere wrote:
> > On 12/16/2011 04:20 PM, Mark Thomas wrote:
> >> It appears that Maven artefact publishing has been moved from people.a.o
> >> (that all the release scripts are written to use) to using Nexus. See
> [1]
> >>
> >> I have a number of issues with this:
> >>
> >> 1. There was zero discussion of this on the dev list.
> >>
> >> 2. Maven publishing for snapshots, release candidates and releases is
> >> now broken as the release scripts have not been updated as it appears is
> >> required. [2]
> >>
> >> Jean-Frederic, please explain ASAP what on earth is going on here.
> >> Decisions such as this must happen on list *before* they are actioned.
> >
> > I understood it only affects the release process...
>
> So what? Releasing software is why this community exists. Any changes to
> that process need to be agreed by the community first.
>
> > If that is wrong
> > that I screwed it, Sorry
>
> Before this change, we could release artefacts to Maven Central.
>
> After this change, we are unable to release artefacts to Maven Central
> since that part of the release process now needs re-writing.
>
> That is not acceptable. If there were an security issue that required an
> immediate release Maven users at best would get the artefacts late or at
> worst not at all.
>
> An apology is a good start but the stuff you have just broken needs
> fixing. At the moment, I see two possible fixes.
>
> 1. Update the release scripts so we can release artefacts to Maven using
> the new process.
> 2. Revert the change to use Nexus and return to scp+rsync.
>
> If you don't do 1. (pretty much immediately), I intend to request that
> the infra team does 2.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Re: Move to Nexus with no community discussion. WTF?

[Mark Thomas <ma...@apache.org>]

On 16/12/2011 15:43, jean-frederic clere wrote:
> On 12/16/2011 04:20 PM, Mark Thomas wrote:
>> It appears that Maven artefact publishing has been moved from people.a.o
>> (that all the release scripts are written to use) to using Nexus. See [1]
>>
>> I have a number of issues with this:
>>
>> 1. There was zero discussion of this on the dev list.
>>
>> 2. Maven publishing for snapshots, release candidates and releases is
>> now broken as the release scripts have not been updated as it appears is
>> required. [2]
>>
>> Jean-Frederic, please explain ASAP what on earth is going on here.
>> Decisions such as this must happen on list *before* they are actioned.
> 
> I understood it only affects the release process...

So what? Releasing software is why this community exists. Any changes to
that process need to be agreed by the community first.

> If that is wrong
> that I screwed it, Sorry

Before this change, we could release artefacts to Maven Central.

After this change, we are unable to release artefacts to Maven Central
since that part of the release process now needs re-writing.

That is not acceptable. If there were an security issue that required an
immediate release Maven users at best would get the artefacts late or at
worst not at all.

An apology is a good start but the stuff you have just broken needs
fixing. At the moment, I see two possible fixes.

1. Update the release scripts so we can release artefacts to Maven using
the new process.
2. Revert the change to use Nexus and return to scp+rsync.

If you don't do 1. (pretty much immediately), I intend to request that
the infra team does 2.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Move to Nexus with no community discussion. WTF?

[jean-frederic clere <jf...@gmail.com>]

On 12/16/2011 04:20 PM, Mark Thomas wrote:
> It appears that Maven artefact publishing has been moved from people.a.o
> (that all the release scripts are written to use) to using Nexus. See [1]
>
> I have a number of issues with this:
>
> 1. There was zero discussion of this on the dev list.
>
> 2. Maven publishing for snapshots, release candidates and releases is
> now broken as the release scripts have not been updated as it appears is
> required. [2]
>
> Jean-Frederic, please explain ASAP what on earth is going on here.
> Decisions such as this must happen on list *before* they are actioned.

I understood it only affects the release process... If that is wrong 
that I screwed it, Sorry

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org