Thanks Ismael. I'll cancel this vote for now with the intent that it is re-opened in the future once Ismael's points are addressed.
I have opened a PR[1] which allows us to build the updated vendored artifacts without migrating our usage to them. I have started a doc[2] to gather people's notes on producing a release guide for vendored dependencies. 1: https://github.com/apache/beam/pull/8942 2: https://docs.google.com/document/d/1ztEoyGkqq9ie5riQxRtMuBu3vb6BUO91mSMn1PU0pDA/edit?usp=sharing On Mon, Jun 24, 2019 at 1:04 PM Ismaël Mejía <ieme...@gmail.com> wrote: > The upgrade is worth for security reasons and to catch the gRPC > improvements so really nice that this is happening. > > However I am not clear if we are mixing two things here. (1) The > release of the vendored versions and (2) the upgrade of it into Beam. > I think those should be separate (obviously knowing that the latter is > more complex). My point is the vote should be ONLY about releasing the > vendored dependencies and we should not mix it with what otherwise > would be a JIRA issue for the dependency upgrade. (This was the case > in the previous release of the vendored deps) > > An Apache release is usually validated from a .tar.gz with the source > code checkout of the associated commit that should produce the > artifacts, and I don't see any source code staged for validation in > the links. > > All these points come from the fact that we have not documented the > process of verification and in general of release of the vendored > dependencies, so probably it is worth to do this and add it to the > release guide [1] (or as an independent document) so we can do the > validation eagerly. > > [1] https://beam.apache.org/contribute/release-guide/ > > On Mon, Jun 24, 2019 at 6:02 PM Lukasz Cwik <lc...@google.com> wrote: > > > > Pinging for PMC to validate & vote. > > > > On Thu, Jun 20, 2019 at 3:52 PM Ahmet Altay <al...@google.com> wrote: > >> > >> +1 verified signatures and hashes. > >> > >> Thank you Luke. > >> > >> On Thu, Jun 20, 2019 at 12:27 PM Lukasz Cwik <lc...@google.com> wrote: > >>> > >>> We should verify the signatures of the artifacts. > >>> > >>> Otherwise, there is little risk in releasing these artifacts because > no one consumes them yet. PR/8899[1] updates Apache Beam to start using > them and will go through the regular precommit/postcommit tests. > >>> > >>> If you want to perform additional validation you can: > >>> * clone the PR and run any tests that you may want after fetching the > artifacts and placing them in your local maven repo > >>> * download the artifacts and manually validate the classes only appear > in the org.apache.beam.vendor namespace with the appropriate package > prefix. Note that there is a unit test that does this as part of the > publishing process[2]. > >>> > >>> This thread[3] is an example of previous release of vendored artifacts. > >>> > >>> 1: https://github.com/apache/beam/pull/8899 > >>> 2: > https://github.com/apache/beam/blob/c775eda2df6457a784a1945d16cf781abb453d5f/buildSrc/src/main/groovy/org/apache/beam/gradle/VendorJavaPlugin.groovy#L127 > >>> 3: > https://lists.apache.org/thread.html/9efb2aeab102e41367bf6b1f274d3ee5990024afd934392a339c4d00@%3Cdev.beam.apache.org%3E > >>> > >>> On Thu, Jun 20, 2019 at 11:20 AM Ahmet Altay <al...@google.com> wrote: > >>>> > >>>> What is the best way to validate this? > >>>> > >>>> On Thu, Jun 20, 2019 at 9:51 AM Lukasz Cwik <lc...@google.com> wrote: > >>>>> > >>>>> Hi everyone, > >>>>> > >>>>> Please review the release of the following artifacts that we vendor: > >>>>> beam-vendor-guava-26_0-jre > >>>>> beam-vendor-grpc-1_21_0 > >>>>> > >>>>> Please vote as follows: > >>>>> [ ] +1, Approve the release > >>>>> [ ] -1, Do not approve the release (please provide specific comments) > >>>>> > >>>>> The complete staging area is available for your review, which > includes: > >>>>> * all artifacts to be deployed to the Maven Central Repository [1], > >>>>> * commit hash "996b4c3733545aaa3b93fd35296a391126026a1c" [2], > >>>>> * which is signed with the key with fingerprint > EAD5DE293F4A03DD2E77565589E68A56E371CCA2 [3], > >>>>> > >>>>> The vote will be open for at least 72 hours. It is adopted by > majority approval, with at least 3 PMC affirmative votes. > >>>>> > >>>>> Note I have no intention to get this into the current 2.14 release > that is being worked on and will have the version update go out with the > next release. > >>>>> > >>>>> Thanks, > >>>>> Luke > >>>>> > >>>>> [1] > https://repository.apache.org/content/repositories/orgapachebeam-1074/ > >>>>> [2] https://github.com/apache/beam/pull/8899 > >>>>> [3] https://dist.apache.org/repos/dist/release/beam/KEYS > >>>>> >