How to release artifacts (was: Re: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted)

[Radu Cotescu <ra...@apache.org>]

The artifacts to review are an integral part of the voting thread.
Therefore I suggest you follow this small how to:

1. build the release artifact (JAR for Java, other archive type for other
languages) that have the exact same structure as the release's SCM tag; you
can use the script from [0] to check this
2. sign them with your PGP key
3. provide checksums for the artifact (md5 and sha1 should be enough)
4. make sure that the binary can be built using the source code contained
by the artifact from 1; if the binary relies on 3rd party dependencies
provide instructions (probably in a README) on how to get them and describe
their licensing; *never ever* include them directly in our artifacts if
they are not provided under an Apache license, or any other compatible one
[1]
5. use the check release script [2] to verify that you've properly signed
the artifact
6. stage the artifact
7. start the voting thread

What I wrote here is probably just the gist of [3], which everybody at ASF
should understand and obey.

Cheers,
Radu

[0] -
https://svn.apache.org/repos/asf/devicemap/trunk/check_release_matches_tag.sh
[1] - http://apache.org/legal/resolved.html#category-a
[2] -
https://svn.apache.org/repos/asf/devicemap/trunk/check_staged_release.sh
[3] - http://www.apache.org/dev/release.html

On Tue, 1 Sep 2015 at 14:34 Werner Keil <we...@gmail.com> wrote:

> I'll probably give you a heads-up and put stuff to review before the
> actual vote.
>
>

Re: How to release artifacts (was: Re: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted)

[Werner Keil <we...@gmail.com>]

P.s.: There's also a Wiki page (primarily for Maven-based artifacts and
process)
http://wiki.apache.org/devicemap/Release

I'm not entirely sure, if the person who wrote it got this part correct?

   - Remove the previous release if it exists

AFAIK the dist folders should retain previous releases, at least as long as
neither that module nor the entire project was archived.

Werner

On Tue, Sep 1, 2015 at 3:18 PM, Werner Keil <we...@gmail.com> wrote:

> It seems the download page of Log4Net or all of Logging is affected by the
> attacks and changes;-|
> However, its Git repo (GitHub mirror here) especially all examples are
> built and made available as VS projects, too:
> https://github.com/apache/log4net/tree/trunk/src/examples/cpp
> At least while they still used SVN everything was based on VS files:
> https://svn.apache.org/repos/asf/logging/log4net/trunk/src/log4net/
> Slight variations of the (mostly Java or C based) default build and
> release chain similar to Log4Net seems necessary here.
>
> If the GitHub mirror passes everthing through from the Apache Git server,
> then it seems Log4Net always had just a single active committer for the
> last 10 years;-)
>
>

Re: How to release artifacts (was: Re: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted)

[Werner Keil <we...@gmail.com>]

It seems the download page of Log4Net or all of Logging is affected by the
attacks and changes;-|
However, its Git repo (GitHub mirror here) especially all examples are
built and made available as VS projects, too:
https://github.com/apache/log4net/tree/trunk/src/examples/cpp
At least while they still used SVN everything was based on VS files:
https://svn.apache.org/repos/asf/logging/log4net/trunk/src/log4net/
Slight variations of the (mostly Java or C based) default build and release
chain similar to Log4Net seems necessary here.

If the GitHub mirror passes everthing through from the Apache Git server,
then it seems Log4Net always had just a single active committer for the
last 10 years;-)

Re: How to release artifacts (was: Re: Distributed Denial of Service attack on Apache's servers today: Please be advised of changes enacted)

[Werner Keil <we...@gmail.com>]

4. is a bit more sophisticated with Visual Studio. I don't have time or
space on my HD to explore the whole Mono build chain, but with freely
available Visual Studio Community Edition it works (tested 2013 and 2015
myself in recent months) The only 3rd party dependency is Log4Net, another
Apache project.
5. is not available as BAT or PowerShell script, so it won't work on
Windows.

Everything else sounds OK or (except the hashing) was done before.

Cheers,
Werner

On Tue, Sep 1, 2015 at 2:55 PM, Radu Cotescu <ra...@apache.org> wrote:

> The artifacts to review are an integral part of the voting thread.
> Therefore I suggest you follow this small how to:
>
> 1. build the release artifact (JAR for Java, other archive type for other
> languages) that have the exact same structure as the release's SCM tag; you
> can use the script from [0] to check this
> 2. sign them with your PGP key
> 3. provide checksums for the artifact (md5 and sha1 should be enough)
> 4. make sure that the binary can be built using the source code contained
> by the artifact from 1; if the binary relies on 3rd party dependencies
> provide instructions (probably in a README) on how to get them and describe
> their licensing; *never ever* include them directly in our artifacts if
> they are not provided under an Apache license, or any other compatible one
> [1]
> 5. use the check release script [2] to verify that you've properly signed
> the artifact
> 6. stage the artifact
> 7. start the voting thread
>
> What I wrote here is probably just the gist of [3], which everybody at ASF
> should understand and obey.
>
> Cheers,
> Radu
>
> [0] -
> https://svn.apache.org/repos/asf/devicemap/trunk/check_release_matches_tag.sh
> [1] - http://apache.org/legal/resolved.html#category-a
> [2] -
> https://svn.apache.org/repos/asf/devicemap/trunk/check_staged_release.sh
> [3] - http://www.apache.org/dev/release.html
>
> On Tue, 1 Sep 2015 at 14:34 Werner Keil <we...@gmail.com> wrote:
>
>> I'll probably give you a heads-up and put stuff to review before the
>> actual vote.
>>
>>