Script looks good, though I'd tweak it a little to cover the eased
checksum verification and supplying a SHA512 one (more below).
I agree that similar changes would be good for the ActiveMQ 5 releases
also, thats the main reason I didn't just detail things on the Artemis
2.3.0 vote thread.
Back to the script, I'd suggest tweaking it to add a check that the
signature verifies to ensure the downloaded files are ok, then rather
than download the .sha1 I'd have it generate a .sha512 file instead,
and would similarly update/regenerate the .md5 file to embed filename
info so it verifies easily with the CLI tooling. E.g:
gpg --verify $theFile.asc
md5sum $theFile > $theFile.md5
sha512sum $theFile > $theFile.sha512
Then testers and end users downloading the checksum files can just
verify them with the -c flags on the CLI tools, e.g you can check all
the checksums with just:
md5sum -c *.md5
sha512sum -c *.sha512
On 13 September 2017 at 23:36, Clebert Suconic
<[email protected]> wrote:
> Ok, fair enough... I can see this as a process improvement.
>
> I wasn't just understanding what you were proposing clearly enough.
>
> I just added this script here:
> https://github.com/apache/activemq-artemis/blob/master/scripts/download-release.sh
>
>
> I didn't update the RELEASE.md yet...
>
>
> I would add that during the release, you use the download-release from
> the staged mvn repo using that script into the dev area.
> The vote would have the staged download on dev, and we just make a
> simple copy from one place to the other.. and remove the previous
> thing.
>
>
> But I think this should be also done on ActiveMQ 5 releases.
>
>
>
> The thing that threw me of was when you mentioned extra work.. there's
> no extra work here :)
> It's actually saving me from screwing up eventually, so I take it as
> an improvement.
>
>
> On Wed, Sep 13, 2017 at 1:19 PM, Robbie Gemmell
> <[email protected]> wrote:
>> Yes, thats essentially what I mean and do, I have a txt file I keep
>> some comments in as notes, and can source as a script to download the
>> various tars and signatures from nexus (though it could equally pull
>> them from the maven local repo, verifying the Nexus ones is good I
>> think), verify the signature, and generate new MD5+SHA512 checksum
>> files that include the filename details (it could instead manipualte
>> the MD5 one rather than create new). I execute that in a directory
>> within a checkout of the dist dev, then commit the files after a
>> little validation and open the vote.
>>
>> The process of putting the files in the dist dev area is mostly the
>> same as what will be getting done now for the final release, it just
>> uses a different subtree of the same parent dist svn repo, so for
>> example you would use a subdir of
>> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/
>> before the vote rather than of
>> https://dist.apache.org/repos/dist/release/activemq/activemq-artemis/
>> after the vote.
>>
>> To complete the example, had the files for the recent Artemis 2.3.0
>> vote been in the dist dev area already you would just do something
>> like this to complete the release once the vote had passed:
>> svn cp -m "add files for activemq-artemis-2.3.0"
>> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/2.3.0-rc1
>> https://dist.apache.org/repos/dist/release/activemq/activemq-artemis/2.3.0
>>
>> Robbie
>>
>> On 13 September 2017 at 17:52, Clebert Suconic
>> <[email protected]> wrote:
>>> I actually see how to make the copy into dev... let me play with it a
>>> little bit....
>>>
>>> On Wed, Sep 13, 2017 at 12:44 PM, Clebert Suconic
>>> <[email protected]> wrote:
>>>> what about this:
>>>>
>>>> Currently mvn release and mvn upload will always send the release to nexus,
>>>>
>>>> So what about:
>>>>
>>>> - we provide an script to artemis to download the correct bits of the
>>>> release, the release manager would use that script to perform such
>>>> download.
>>>> - The release manager would place it on the dev repository Robbie is
>>>> mentioning... (that means.. we wouldn't really have an extra step).
>>>>
>>>>
>>>> On thing I'm not sure how to do is... how to upload it to the dev dist
>>>> at https://dist.apache.org/repos/dist/dev/activemq/
>>>>
>>>> and how we would make the final move? just a regular copy?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Sep 13, 2017 at 9:49 AM, Robbie Gemmell
>>>> <[email protected]> wrote:
>>>>> On 13 September 2017 at 14:35, Clebert Suconic
>>>>> <[email protected]> wrote:
>>>>>> On Wed, Sep 13, 2017 at 9:21 AM Robbie Gemmell <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> This was less about time, though there is some benefit in that regard,
>>>>>>> with how much depending on how particular people actually verify the
>>>>>>> checksums I guess.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Actually this is kind of moot. nexus does that check for you. You cannot
>>>>>> upload a release with a checksum broken. It won't let you close.
>>>>>>
>>>>>> Like. Last week I had to restart the release once because MVN upload
>>>>>> broke
>>>>>> the checksum somewhere.
>>>>>> --
>>>>>> Clebert Suconic
>>>>>
>>>>> Whether the files in Nexus are ok isn't sufficient. The archives and
>>>>> checksum files in the dist repo are the mirrorer official release
>>>>> artifacts (and strictly only the source ones at that), and Nexus cant
>>>>> check those. There could be a problem deploying those bits for a
>>>>> variety of reasons, so we check they are ok. Users downloading the
>>>>> release archives also tend to grab the checksums from the dist repo
>>>>> because that is their official source, in order to verify downloads
>>>>> that have come from the third party mirrors which dont store the
>>>>> checksums for obvious reasons.
>>>>>
>>>>> Robbie
>>>>
>>>>
>>>>
>>>> --
>>>> Clebert Suconic
>>>
>>>
>>>
>>> --
>>> Clebert Suconic
>
>
>
> --
> Clebert Suconic
