You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Jaroslav Tulach <ja...@gmail.com> on 2017/10/11 04:08:13 UTC
[VOTE] Build #17 as HTML/Java API release 1.5
Hi.
Release is dead, long live the release! I believe I have addressed the biggest
problems of my previous attempt to release Apache NetBeans HTML/Java API 1.5
and it is time to try once again.
Here is the build with source ZIP, MD5 and SHA1 signatures.
https://builds.apache.org/view/Incubator%20Projects/job/incubator-netbeans-html4j-release/17/
you can find there also list of changes including removal of mycila license
plugin and thus dependency on Google maven repository.
The incubating-netbeans-html4j-1.5.zip.asc isn't present on the server (as I
would need to upload my private key there), but instead I am pasting its
content here including steps I used to generate it. When uploading the bits to
some proper location, please include this file as well:
$ gpg -ab incubating-netbeans-html4j-1.5.zip
You need a passphrase to unlock the secret key for
user: "Jaroslav Tulach <ja...@apidesign.org>"
2048-bit RSA key, ID 7E654BAC, created 2013-02-13
$ ls -l
total 1476
-rw-r--r-- 1 devel devel 1504058 Oct 11 05:44 incubating-netbeans-
html4j-1.5.zip
-rw-r--r-- 1 devel devel 473 Oct 11 05:44 incubating-netbeans-
html4j-1.5.zip.asc
$ cat incubating-netbeans-html4j-1.5.zip.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJZ3ZOYAAoJECeLZh1+ZUusrzkH+gK5I6FW1XJ4DoiCaCtsd4R+
oZ1rCHyMFYm/KiTxF0J+kFHoLHhZ4Aq3D1/Iof/VO2n1fE03Bpg6ClB9dSpAiznp
zuPETvejx+6jmVamyDlzqhTUmIt5YzPk/QIiOLdMLe0pYNnjBUSdCy9ZIHZqA8uU
IiwU6uyBZrtC6aRNnTY9euT3aIslQ17kdzjarHi55yXQBdncXzkqMjLZB+vAmzzx
jVBxIbNC+OArDRwa1tmLkvND1QC+3G4Lx3xjwNnHES7Rsll3gN8+ebAhgU5o3Nd4
aCpn1jeZr0d45QAJ8wEpH+2kedin+7Cp7isyBTZ8TXCpwxOk0giOd7cg0J7f8V8=
=25ax
-----END PGP SIGNATURE-----
I signed the file with the same key I use when signing the [Maven repository
artifacts](https://maven.java.net/content/repositories/orgapidesign-1066) - I
hope that is OK.
The Maven artifacts are in a staging repository, I release them once the
release is approved. They were generated with following command:
incubator-netbeans-html4j$ mvn -DskipTests -Pjvnet-release -Pgpg package
javadoc:jar source:jar gpg:sign deploy
Please cast your votes. I hope this time the release has better chances to
pass.
-jt
Re: [VOTE] Build #17 as HTML/Java API release 1.5
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
I have reviewed SHA1(incubating-netbeans-html4j-1.5.zip)=
eaa3a5a784f56fd1a20674ef5b59eed2be99d2fe
I'm -1 on the release due to the missing DISCLAIMER which is easy to
fix, details below.
Once that's fixed, if others (including at least one other mentor)
agree I'd be ok to promote the fixed release to Incubator PMC vote
except for one thing: I suggest including in the Incubator PMC vote
message instructions for reviewing the license/copyright header
changes done since the code was imported from the Oracle donation, can
you provide those? Probably just a git diff command or URL. A
reference (git tag?) to tools used for these changes is also useful.
The digests are ok.
I cannot verify the signature as I haven't found your 7E654BAC public
key online, see the "PMC members please add your PGP keys to
https://id.apache.org" thread here.
On Wed, Oct 11, 2017 at 6:08 AM, Jaroslav Tulach
<ja...@gmail.com> wrote:
> ...The incubating-netbeans-html4j-1.5.zip.asc isn't present on the server (as I
> would need to upload my private key there),...
IIUC this is because the release is generated by Jenkins and you don't
want it to have your private key - sounds reasonable ;-)
In this case maybe it's more convenient to keep the .asc file in the
gi tools repository before the release happens?
This also allows others to add their own signature if desired.
zip archive review:
1) DISCLAIMER is missing, for a podling this is enough to reject the
release. See also DEPENDENCIES below, the same mechanism can be used
to generate both.
2) In the NOTICE, I find this confusing:
"The code is based on NetBeans HTML/Java API Copyright (c) 2013-2017
Oracle Corp, kindly donated"
as it can be misunderstood as Oracle still owning that copyright -
we're still in 2017.
I would prefer
"The initial code is based on NetBeans HTML/Java API modules kindly
donated by Oracle Corp to the Apache Software Foundation"
3) Having a DEPENDENCIES file would make it much easier to validate
third-party dependencies, see this recent thread:
https://lists.apache.org/thread.html/b82a116ec77639c49528d654a488ff354ca8edfb8f4f380865762275@%3Cdev.netbeans.apache.org%3E
Right now, " mvn dependency:tree" lists some unfamiliar dependencies,
having their license in DEPENDENCIES would help validate them.
4) A quick build with "mvn clean install -DskipTests" works including
apache-rat-plugin:0.12:check . The tests take a long time to run, I
haven't checked if there's a way to run just unit tests.
5) the apache-rat-plugin excludes look good to me:
[INFO] Exclude: **/target/**
[INFO] Exclude: .gitignore
[INFO] Exclude: **/.git/**
[INFO] Exclude: **/.repository/**
[INFO] Exclude: **/.maven/**
[INFO] Exclude: **/*.sigtest
[INFO] Exclude: README.md
6) The release includes source code only, apart from a few .png
(test?) images which are fine.
-Bertrand