[all][proposal] Add jar checksums to binary release distributions

[Phil Steitz <ph...@gmail.com>]

The [cli] jar issue and other recent discussions on repository@ make
me think that it would be a good idea to start including md5 and/or
sha-1 checksums for release jars in the release distribution tarballs.
 While it might be overkill to do so, we might even consider
referencing the checksums in release [VOTE] threads.  It should not be
hard to add this to the maven dist plugin for maven builds.  Thoughts?

Phil

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [all][proposal] Add jar checksums to binary release distributions

[Phil Steitz <ph...@gmail.com>]

On 7/26/05, Simon Kitching <sk...@apache.org> wrote:
> On Tue, 2005-07-26 at 08:18 -0700, Phil Steitz wrote:
> > The [cli] jar issue and other recent discussions on repository@ make
> > me think that it would be a good idea to start including md5 and/or
> > sha-1 checksums for release jars in the release distribution tarballs.
> >  While it might be overkill to do so, we might even consider
> > referencing the checksums in release [VOTE] threads.  It should not be
> > hard to add this to the maven dist plugin for maven builds.  Thoughts?
> 
> I don't see how this helps. The full distribution tarballs have a
> checksum and a signature, so anyone who downloads and checks a
> distribution can be sure that all the jar files inside it are as
> expected. What would adding separate checksums for the jar files do?
> 
> If someone does want to know whether the maven repo is correct, they can
> download the full distribution, check it, unbundle it then do a binary
> comparison between the jar in that distro and the one in maven - or
> generate checksums and compare them at that time.

The idea was just to make it a little easier to compare what is in a
maven repo with the actual release.  We need to find a way to automate
this for java-repository in any case.  Of course it is always possible
to just recompute the checksum or do a binary compare as you suggest. 
I also like the idea of including the checksum in the VOTE thread so
we have can be sure that
what is voted on = what is released = what is distributed
I understand that this may be overkill, though, and as you point out,
the second identity can be established by direct comparison.
> 
> Am I right in thinking that "maven jar:deploy" will push a jar out to
> the maven repo? If so, that is probably the cause of the problem; it
> would be too easy for a maven novice to accidentally run that command.

Yes, assuming the user has maven.repo.list and credentials configured.
> 
> The easiest fix for all this is to adopt a small procedural change:
> ensure that the <currentVersion> tag *always* has a -dev or -snapshot or
> -rc suffix except in a subversion tag dir which has passed the final
> release vote.

+1 (will happen if we all always make sure to do step 14 here
http://jakarta.apache.org/commons/releases/release.html ;-)

> 
> A nice maven change to help with this issue might be to report an error
> for all deploy commands where currentVersion is not -dev, -snapshot or
> -rc unless the user passes -Dyes_this_is_a_real_release or somesuch on
> the commandline.

The setup recommended in commons-build/project.properties.sample is to leave
maven.repo.list=apache.snapshots in the configuration file
but then use
maven -Dmaven.repo.list=apache.releases jar:deploy
to deploy to java-repository

Phil

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org

Re: [all][proposal] Add jar checksums to binary release distributions

[Simon Kitching <sk...@apache.org>]

On Tue, 2005-07-26 at 08:18 -0700, Phil Steitz wrote:
> The [cli] jar issue and other recent discussions on repository@ make
> me think that it would be a good idea to start including md5 and/or
> sha-1 checksums for release jars in the release distribution tarballs.
>  While it might be overkill to do so, we might even consider
> referencing the checksums in release [VOTE] threads.  It should not be
> hard to add this to the maven dist plugin for maven builds.  Thoughts?

I don't see how this helps. The full distribution tarballs have a
checksum and a signature, so anyone who downloads and checks a
distribution can be sure that all the jar files inside it are as
expected. What would adding separate checksums for the jar files do?

If someone does want to know whether the maven repo is correct, they can
download the full distribution, check it, unbundle it then do a binary
comparison between the jar in that distro and the one in maven - or
generate checksums and compare them at that time.

Am I right in thinking that "maven jar:deploy" will push a jar out to
the maven repo? If so, that is probably the cause of the problem; it
would be too easy for a maven novice to accidentally run that command.

The easiest fix for all this is to adopt a small procedural change:
ensure that the <currentVersion> tag *always* has a -dev or -snapshot or
-rc suffix except in a subversion tag dir which has passed the final 
release vote.

A nice maven change to help with this issue might be to report an error
for all deploy commands where currentVersion is not -dev, -snapshot or
-rc unless the user passes -Dyes_this_is_a_real_release or somesuch on
the commandline.

Regards,

Simon



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org