sorry, that should have been "staged maven repository should stick to MUST guidance"
On 2018/04/15 14:11:43, Sean Busbey <bus...@apache.org> wrote: > -1 on the RC vote > > I agree that in the staged maven repository we should stick to SHOULD > guidance until such time that the maven tooling has a supported option to use > correct checksums. (Have we verified that the relevant tooling at a minimum > has a request in to add it?) > > However, I can't verify that the source artifact or any other artifacts that > we'll eventually place in dist.a.o/release has correct checksums that meet > the current release distribution policy simply because we don't have the > relevant bits posted here in the RC. > > Why don't we go back to providing both a staged maven repo and an RC > directory in the ASF dev part of dist.a.o[4]? Plenty of other projects use > that area to stage RCs that have correct checksums. > > [4]: https://dist.apache.org/repos/dist/dev/accumulo/ > > On 2018/04/15 05:35:39, Christopher <ctubb...@apache.org> wrote: > > Mike, > > > > We use stronger checksums (SHA512) in the SVN[1] area and downloads page[2] > > after a vote passes. In fact, we're one of the only "perfect projects" in > > regards to compliance with this policy[3]. > > > > The Maven staging area doesn't follow all the "SHOULD" statements, but > > that's only because these checksums are automatically generated by > > maven-deploy-plugin, and not under our direct control. However, it still > > follows all the "MUST" statements, so it is still in compliance with the > > cited policy. Unless we're willing to circumvent standard Maven tooling and > > risk breaking things which depend on the conventions established by this > > tooling (which, to be clear, I think would be a really terribly bad idea), > > we simply cannot follow all the "SHOULD" statements for the Maven staging > > area. > > > > [1]: https://www.apache.org/dist/accumulo/ > > [2]: https://accumulo.apache.org/downloads/ > > [3]: https://checker.apache.org/dist/unsummed.html > > > > On Sat, Apr 14, 2018 at 11:13 PM Mike Drob <md...@mdrob.com> wrote: > > > > > -0 > > > > > > please do not publish md5 sums > > > please add missing sha256 sums > > > > > > apache release policy: > > > http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > > > On Sat, Apr 14, 2018 at 11:37 AM, Mike Walch <mwa...@apache.org> wrote: > > > > > > > +1 > > > > > > > > * Verified sha1 & md5 hashes matched > > > > * Verified signatures > > > > * Ran binary tarball locally using Uno > > > > * Ran 'mvn verify' successfully for wikisearch using RC jars > > > > > > > > On Thu, Apr 12, 2018 at 6:21 PM, Christopher <ctubb...@apache.org> > > > wrote: > > > > > > > > > Accumulo Developers, > > > > > > > > > > Please consider the following candidate for Apache Accumulo 1.9.0. > > > > > > > > > > Git Commit: > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > Branch: > > > > > 1.9.0-rc1 > > > > > > > > > > If this vote passes, a gpg-signed tag will be created using: > > > > > git tag -f -m 'Apache Accumulo 1.9.0' -s rel/1.9.0 \ > > > > > bca516000bdb54b1e5582f908e0a525634a120f7 > > > > > > > > > > Staging repo: > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1070 > > > > > Source (official release artifact): > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-src.tar.gz > > > > > Binary: > > > > > https://repository.apache.org/content/repositories/orgapache > > > > > > > > > > > > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-bin.tar.gz > > > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for > > > > > a > > > > > given artifact.) > > > > > > > > > > All artifacts were built and staged with: > > > > > mvn release:prepare && mvn release:perform > > > > > > > > > > Signing keys are available at > > > https://www.apache.org/dist/accumulo/KEYS > > > > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > > > > > > > > > Release notes (in progress) can be found at: > > > > > https://accumulo.apache.org/release/accumulo-1.9.0/ > > > > > > > > > > Please vote one of: > > > > > [ ] +1 - I have verified and accept... > > > > > [ ] +0 - I have reservations, but not strong enough to vote against... > > > > > [ ] -1 - Because..., I do not accept... > > > > > ... these artifacts as the 1.9.0 release of Apache Accumulo. > > > > > > > > > > This vote will remain open until at least Sun Apr 15 22:30:00 UTC 2018 > > > > > (Sun Apr 15 18:30:00 EDT 2018 / Sun Apr 15 15:30:00 PDT 2018). > > > > > Voting continues until the release manager sends an email closing the > > > > vote. > > > > > > > > > > Thanks! > > > > > > > > > > P.S. Hint: download the whole staging repo with > > > > > wget -erobots=off -r -l inf -np -nH \ > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1070/ > > > > > # note the trailing slash is needed > > > > > > > > > > > > > > >