I am strongly against generating and publishing checksum information after
a vote because that ostensibly means it hasn't been verified and voted on.

On Sun, Apr 15, 2018 at 12:35 AM, Christopher <ctubb...@apache.org> wrote:

> Mike,
>
> We use stronger checksums (SHA512) in the SVN[1] area and downloads page[2]
> after a vote passes. In fact, we're one of the only "perfect projects" in
> regards to compliance with this policy[3].
>
> The Maven staging area doesn't follow all the "SHOULD" statements, but
> that's only because these checksums are automatically generated by
> maven-deploy-plugin, and not under our direct control. However, it still
> follows all the "MUST" statements, so it is still in compliance with the
> cited policy. Unless we're willing to circumvent standard Maven tooling and
> risk breaking things which depend on the conventions established by this
> tooling (which, to be clear, I think would be a really terribly bad idea),
> we simply cannot follow all the "SHOULD" statements for the Maven staging
> area.
>
> [1]: https://www.apache.org/dist/accumulo/
> [2]: https://accumulo.apache.org/downloads/
> [3]: https://checker.apache.org/dist/unsummed.html
>
> On Sat, Apr 14, 2018 at 11:13 PM Mike Drob <md...@mdrob.com> wrote:
>
> > -0
> >
> > please do not publish md5 sums
> > please add missing sha256 sums
> >
> > apache release policy:
> > http://www.apache.org/dev/release-distribution#sigs-and-sums
> >
> > On Sat, Apr 14, 2018 at 11:37 AM, Mike Walch <mwa...@apache.org> wrote:
> >
> > > +1
> > >
> > > * Verified sha1 & md5 hashes matched
> > > * Verified signatures
> > > * Ran binary tarball locally using Uno
> > > * Ran 'mvn verify' successfully for wikisearch using RC jars
> > >
> > > On Thu, Apr 12, 2018 at 6:21 PM, Christopher <ctubb...@apache.org>
> > wrote:
> > >
> > > > Accumulo Developers,
> > > >
> > > > Please consider the following candidate for Apache Accumulo 1.9.0.
> > > >
> > > > Git Commit:
> > > >     bca516000bdb54b1e5582f908e0a525634a120f7
> > > > Branch:
> > > >     1.9.0-rc1
> > > >
> > > > If this vote passes, a gpg-signed tag will be created using:
> > > >     git tag -f -m 'Apache Accumulo 1.9.0' -s rel/1.9.0 \
> > > >     bca516000bdb54b1e5582f908e0a525634a120f7
> > > >
> > > > Staging repo:
> > > >
> > >
> > https://repository.apache.org/content/repositories/
> orgapacheaccumulo-1070
> > > > Source (official release artifact):
> > > > https://repository.apache.org/content/repositories/orgapache
> > > >
> > >
> > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/
> accumulo-1.9.0-src.tar.gz
> > > > Binary:
> > > > https://repository.apache.org/content/repositories/orgapache
> > > >
> > >
> > accumulo-1070/org/apache/accumulo/accumulo/1.9.0/
> accumulo-1.9.0-bin.tar.gz
> > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash
> for a
> > > > given artifact.)
> > > >
> > > > All artifacts were built and staged with:
> > > >     mvn release:prepare && mvn release:perform
> > > >
> > > > Signing keys are available at
> > https://www.apache.org/dist/accumulo/KEYS
> > > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D)
> > > >
> > > > Release notes (in progress) can be found at:
> > > > https://accumulo.apache.org/release/accumulo-1.9.0/
> > > >
> > > > Please vote one of:
> > > > [ ] +1 - I have verified and accept...
> > > > [ ] +0 - I have reservations, but not strong enough to vote
> against...
> > > > [ ] -1 - Because..., I do not accept...
> > > > ... these artifacts as the 1.9.0 release of Apache Accumulo.
> > > >
> > > > This vote will remain open until at least Sun Apr 15 22:30:00 UTC
> 2018
> > > > (Sun Apr 15 18:30:00 EDT 2018 / Sun Apr 15 15:30:00 PDT 2018).
> > > > Voting continues until the release manager sends an email closing the
> > > vote.
> > > >
> > > > Thanks!
> > > >
> > > > P.S. Hint: download the whole staging repo with
> > > >     wget -erobots=off -r -l inf -np -nH \
> > > >
> > > >
> > >
> > https://repository.apache.org/content/repositories/
> orgapacheaccumulo-1070/
> > > >     # note the trailing slash is needed
> > > >
> > >
> >
>

Reply via email to