+1 on this from me and we should use this process for all of our projects...Artemis, ActiveMQ 5, NMS, etc.
On Thu, Sep 14, 2017 at 5:48 AM, Robbie Gemmell <[email protected]> wrote: > Script looks good, though I'd tweak it a little to cover the eased > checksum verification and supplying a SHA512 one (more below). > > I agree that similar changes would be good for the ActiveMQ 5 releases > also, thats the main reason I didn't just detail things on the Artemis > 2.3.0 vote thread. > > Back to the script, I'd suggest tweaking it to add a check that the > signature verifies to ensure the downloaded files are ok, then rather > than download the .sha1 I'd have it generate a .sha512 file instead, > and would similarly update/regenerate the .md5 file to embed filename > info so it verifies easily with the CLI tooling. E.g: > > gpg --verify $theFile.asc > md5sum $theFile > $theFile.md5 > sha512sum $theFile > $theFile.sha512 > > Then testers and end users downloading the checksum files can just > verify them with the -c flags on the CLI tools, e.g you can check all > the checksums with just: > md5sum -c *.md5 > sha512sum -c *.sha512 > > On 13 September 2017 at 23:36, Clebert Suconic > <[email protected]> wrote: > > Ok, fair enough... I can see this as a process improvement. > > > > I wasn't just understanding what you were proposing clearly enough. > > > > I just added this script here: > > https://github.com/apache/activemq-artemis/blob/master/ > scripts/download-release.sh > > > > > > I didn't update the RELEASE.md yet... > > > > > > I would add that during the release, you use the download-release from > > the staged mvn repo using that script into the dev area. > > The vote would have the staged download on dev, and we just make a > > simple copy from one place to the other.. and remove the previous > > thing. > > > > > > But I think this should be also done on ActiveMQ 5 releases. > > > > > > > > The thing that threw me of was when you mentioned extra work.. there's > > no extra work here :) > > It's actually saving me from screwing up eventually, so I take it as > > an improvement. > > > > > > On Wed, Sep 13, 2017 at 1:19 PM, Robbie Gemmell > > <[email protected]> wrote: > >> Yes, thats essentially what I mean and do, I have a txt file I keep > >> some comments in as notes, and can source as a script to download the > >> various tars and signatures from nexus (though it could equally pull > >> them from the maven local repo, verifying the Nexus ones is good I > >> think), verify the signature, and generate new MD5+SHA512 checksum > >> files that include the filename details (it could instead manipualte > >> the MD5 one rather than create new). I execute that in a directory > >> within a checkout of the dist dev, then commit the files after a > >> little validation and open the vote. > >> > >> The process of putting the files in the dist dev area is mostly the > >> same as what will be getting done now for the final release, it just > >> uses a different subtree of the same parent dist svn repo, so for > >> example you would use a subdir of > >> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/ > >> before the vote rather than of > >> https://dist.apache.org/repos/dist/release/activemq/activemq-artemis/ > >> after the vote. > >> > >> To complete the example, had the files for the recent Artemis 2.3.0 > >> vote been in the dist dev area already you would just do something > >> like this to complete the release once the vote had passed: > >> svn cp -m "add files for activemq-artemis-2.3.0" > >> https://dist.apache.org/repos/dist/dev/activemq/activemq- > artemis/2.3.0-rc1 > >> https://dist.apache.org/repos/dist/release/activemq/ > activemq-artemis/2.3.0 > >> > >> Robbie > >> > >> On 13 September 2017 at 17:52, Clebert Suconic > >> <[email protected]> wrote: > >>> I actually see how to make the copy into dev... let me play with it a > >>> little bit.... > >>> > >>> On Wed, Sep 13, 2017 at 12:44 PM, Clebert Suconic > >>> <[email protected]> wrote: > >>>> what about this: > >>>> > >>>> Currently mvn release and mvn upload will always send the release to > nexus, > >>>> > >>>> So what about: > >>>> > >>>> - we provide an script to artemis to download the correct bits of the > >>>> release, the release manager would use that script to perform such > >>>> download. > >>>> - The release manager would place it on the dev repository Robbie is > >>>> mentioning... (that means.. we wouldn't really have an extra step). > >>>> > >>>> > >>>> On thing I'm not sure how to do is... how to upload it to the dev dist > >>>> at https://dist.apache.org/repos/dist/dev/activemq/ > >>>> > >>>> and how we would make the final move? just a regular copy? > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Wed, Sep 13, 2017 at 9:49 AM, Robbie Gemmell > >>>> <[email protected]> wrote: > >>>>> On 13 September 2017 at 14:35, Clebert Suconic > >>>>> <[email protected]> wrote: > >>>>>> On Wed, Sep 13, 2017 at 9:21 AM Robbie Gemmell < > [email protected]> > >>>>>> wrote: > >>>>>> > >>>>>>> This was less about time, though there is some benefit in that > regard, > >>>>>>> with how much depending on how particular people actually verify > the > >>>>>>> checksums I guess. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Actually this is kind of moot. nexus does that check for you. You > cannot > >>>>>> upload a release with a checksum broken. It won't let you close. > >>>>>> > >>>>>> Like. Last week I had to restart the release once because MVN > upload broke > >>>>>> the checksum somewhere. > >>>>>> -- > >>>>>> Clebert Suconic > >>>>> > >>>>> Whether the files in Nexus are ok isn't sufficient. The archives and > >>>>> checksum files in the dist repo are the mirrorer official release > >>>>> artifacts (and strictly only the source ones at that), and Nexus cant > >>>>> check those. There could be a problem deploying those bits for a > >>>>> variety of reasons, so we check they are ok. Users downloading the > >>>>> release archives also tend to grab the checksums from the dist repo > >>>>> because that is their official source, in order to verify downloads > >>>>> that have come from the third party mirrors which dont store the > >>>>> checksums for obvious reasons. > >>>>> > >>>>> Robbie > >>>> > >>>> > >>>> > >>>> -- > >>>> Clebert Suconic > >>> > >>> > >>> > >>> -- > >>> Clebert Suconic > > > > > > > > -- > > Clebert Suconic >
