+1 On Thu, Sep 21, 2017 at 10:09 AM Robbie Gemmell <[email protected]> wrote:
> Tim created a variant of the helper script for use in doing ActiveMQ > 5.x releases, and did an initial update of the release guide details > based on that. > > When discussing some updates with him that I could do to finish off > the release guide changes, it occurred to me it would be a lot easier > to just put the script into the dist dev area, which he also liked. > I've made some tweaks to the script and added it in a new subdir for > staging the 5.x releases at: > https://dist.apache.org/repos/dist/dev/activemq/activemq/ > > I've updated release guide instructions accordingly, showing how to > stage the release bits in the dev area before the vote and add them to > the release area after it passes: > https://cwiki.apache.org/confluence/display/ACTIVEMQ/Release+Guide > > I thought I'd run this by everyone to see what you think, I believe > doing the same for Artemis under > https://dist.apache.org/repos/dist/dev/activemq/artemis/ would > similarly improve things further there too, and can do that next if > folks are happy. > > Robbie > > On 15 September 2017 at 16:55, Robbie Gemmell <[email protected]> > wrote: > > I tweaked the helper script to verify the downloaded tar/zip files > > using their downloaded signature, then update the downloaded .md5 file > > with filename info so it can verify easily with CLI tools, dropped > > downloading the .sha1 and generated a new .sha512, and then at the end > > verifies all the checksums as a sanity check (somewhat superfluous for > > the SHA512, but doesn't hurt). > > > > > https://github.com/apache/activemq-artemis/commit/b7b2960e1f1870246f0c113f56d22cfc0f7a4269 > > > > If folks are happy with this I can update the instructions at > > https://github.com/apache/activemq-artemis/blob/master/RELEASING.md to > > reflect the slight process changes needed. > > > > Robbie > > > > On 14 September 2017 at 15:32, Clebert Suconic > > <[email protected]> wrote: > >> I thought about checking the sum. Didn't have time. > >> > >> I would check the files created by nexus Instead of creating new ones > >> thought. > >> > >> > >> Feel free to tweak the script. I will be out for a week. I will just > >> finish the release and I will be away for a week. > >> > >> On Thu, Sep 14, 2017 at 5:48 AM Robbie Gemmell < > [email protected]> > >> wrote: > >> > >>> Script looks good, though I'd tweak it a little to cover the eased > >>> checksum verification and supplying a SHA512 one (more below). > >>> > >>> I agree that similar changes would be good for the ActiveMQ 5 releases > >>> also, thats the main reason I didn't just detail things on the Artemis > >>> 2.3.0 vote thread. > >>> > >>> Back to the script, I'd suggest tweaking it to add a check that the > >>> signature verifies to ensure the downloaded files are ok, then rather > >>> than download the .sha1 I'd have it generate a .sha512 file instead, > >>> and would similarly update/regenerate the .md5 file to embed filename > >>> info so it verifies easily with the CLI tooling. E.g: > >>> > >>> gpg --verify $theFile.asc > >>> md5sum $theFile > $theFile.md5 > >>> sha512sum $theFile > $theFile.sha512 > >>> > >>> Then testers and end users downloading the checksum files can just > >>> verify them with the -c flags on the CLI tools, e.g you can check all > >>> the checksums with just: > >>> md5sum -c *.md5 > >>> sha512sum -c *.sha512 > >>> > >>> On 13 September 2017 at 23:36, Clebert Suconic > >>> <[email protected]> wrote: > >>> > Ok, fair enough... I can see this as a process improvement. > >>> > > >>> > I wasn't just understanding what you were proposing clearly enough. > >>> > > >>> > I just added this script here: > >>> > > >>> > https://github.com/apache/activemq-artemis/blob/master/scripts/download-release.sh > >>> > > >>> > > >>> > I didn't update the RELEASE.md yet... > >>> > > >>> > > >>> > I would add that during the release, you use the download-release > from > >>> > the staged mvn repo using that script into the dev area. > >>> > The vote would have the staged download on dev, and we just make a > >>> > simple copy from one place to the other.. and remove the previous > >>> > thing. > >>> > > >>> > > >>> > But I think this should be also done on ActiveMQ 5 releases. > >>> > > >>> > > >>> > > >>> > The thing that threw me of was when you mentioned extra work.. > there's > >>> > no extra work here :) > >>> > It's actually saving me from screwing up eventually, so I take it as > >>> > an improvement. > >>> > > >>> > > >>> > On Wed, Sep 13, 2017 at 1:19 PM, Robbie Gemmell > >>> > <[email protected]> wrote: > >>> >> Yes, thats essentially what I mean and do, I have a txt file I keep > >>> >> some comments in as notes, and can source as a script to download > the > >>> >> various tars and signatures from nexus (though it could equally pull > >>> >> them from the maven local repo, verifying the Nexus ones is good I > >>> >> think), verify the signature, and generate new MD5+SHA512 checksum > >>> >> files that include the filename details (it could instead manipualte > >>> >> the MD5 one rather than create new). I execute that in a directory > >>> >> within a checkout of the dist dev, then commit the files after a > >>> >> little validation and open the vote. > >>> >> > >>> >> The process of putting the files in the dist dev area is mostly the > >>> >> same as what will be getting done now for the final release, it just > >>> >> uses a different subtree of the same parent dist svn repo, so for > >>> >> example you would use a subdir of > >>> >> https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/ > >>> >> before the vote rather than of > >>> >> > https://dist.apache.org/repos/dist/release/activemq/activemq-artemis/ > >>> >> after the vote. > >>> >> > >>> >> To complete the example, had the files for the recent Artemis 2.3.0 > >>> >> vote been in the dist dev area already you would just do something > >>> >> like this to complete the release once the vote had passed: > >>> >> svn cp -m "add files for activemq-artemis-2.3.0" > >>> >> > >>> > https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/2.3.0-rc1 > >>> >> > >>> > https://dist.apache.org/repos/dist/release/activemq/activemq-artemis/2.3.0 > >>> >> > >>> >> Robbie > >>> >> > >>> >> On 13 September 2017 at 17:52, Clebert Suconic > >>> >> <[email protected]> wrote: > >>> >>> I actually see how to make the copy into dev... let me play with > it a > >>> >>> little bit.... > >>> >>> > >>> >>> On Wed, Sep 13, 2017 at 12:44 PM, Clebert Suconic > >>> >>> <[email protected]> wrote: > >>> >>>> what about this: > >>> >>>> > >>> >>>> Currently mvn release and mvn upload will always send the release > to > >>> nexus, > >>> >>>> > >>> >>>> So what about: > >>> >>>> > >>> >>>> - we provide an script to artemis to download the correct bits of > the > >>> >>>> release, the release manager would use that script to perform such > >>> >>>> download. > >>> >>>> - The release manager would place it on the dev repository Robbie > is > >>> >>>> mentioning... (that means.. we wouldn't really have an extra > step). > >>> >>>> > >>> >>>> > >>> >>>> On thing I'm not sure how to do is... how to upload it to the dev > dist > >>> >>>> at https://dist.apache.org/repos/dist/dev/activemq/ > >>> >>>> > >>> >>>> and how we would make the final move? just a regular copy? > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> On Wed, Sep 13, 2017 at 9:49 AM, Robbie Gemmell > >>> >>>> <[email protected]> wrote: > >>> >>>>> On 13 September 2017 at 14:35, Clebert Suconic > >>> >>>>> <[email protected]> wrote: > >>> >>>>>> On Wed, Sep 13, 2017 at 9:21 AM Robbie Gemmell < > >>> [email protected]> > >>> >>>>>> wrote: > >>> >>>>>> > >>> >>>>>>> This was less about time, though there is some benefit in that > >>> regard, > >>> >>>>>>> with how much depending on how particular people actually > verify > >>> the > >>> >>>>>>> checksums I guess. > >>> >>>>>> > >>> >>>>>> > >>> >>>>>> > >>> >>>>>> Actually this is kind of moot. nexus does that check for you. > You > >>> cannot > >>> >>>>>> upload a release with a checksum broken. It won't let you close. > >>> >>>>>> > >>> >>>>>> Like. Last week I had to restart the release once because MVN > >>> upload broke > >>> >>>>>> the checksum somewhere. > >>> >>>>>> -- > >>> >>>>>> Clebert Suconic > >>> >>>>> > >>> >>>>> Whether the files in Nexus are ok isn't sufficient. The archives > and > >>> >>>>> checksum files in the dist repo are the mirrorer official release > >>> >>>>> artifacts (and strictly only the source ones at that), and Nexus > cant > >>> >>>>> check those. There could be a problem deploying those bits for a > >>> >>>>> variety of reasons, so we check they are ok. Users downloading > the > >>> >>>>> release archives also tend to grab the checksums from the dist > repo > >>> >>>>> because that is their official source, in order to verify > downloads > >>> >>>>> that have come from the third party mirrors which dont store the > >>> >>>>> checksums for obvious reasons. > >>> >>>>> > >>> >>>>> Robbie > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> -- > >>> >>>> Clebert Suconic > >>> >>> > >>> >>> > >>> >>> > >>> >>> -- > >>> >>> Clebert Suconic > >>> > > >>> > > >>> > > >>> > -- > >>> > Clebert Suconic > >>> > >> -- > >> Clebert Suconic > -- Clebert Suconic
