I am not mentioning SHA-3 but you get my point. Gary
On Sat, Dec 3, 2016 at 12:02 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > Well, getting SHA-1 hashes is not awesome either, we really need a plugin > updated to use SHA-2/SHA-256 > > Gary > > On Sat, Dec 3, 2016 at 11:57 AM, Matt Sicker <boa...@gmail.com> wrote: > >> The source jar does just include the .java/.scala/etc. files along with >> anything in src/main/resources/ (and anything else configured, though this >> is the default). I think that a source jar is required for distribution on >> maven central. Besides making releases on the /dist/ svn repo, there's >> repository.apache.org which can also technically be used to download >> maven >> artifacts besides MC (plus I think bintray/jcenter mirrors everything on >> MC). >> >> So basically, at the bare minimum, you need the source tarball/zip on dist >> which can be used by users to build usable artifacts from source using the >> relevant build tools and publicly available dependencies (which of course >> are licensed appropriately). All artifacts are signed along with at least >> an md5 hash, but I typically also see shaN hashes along with since md5 is >> so old and broken (maybe this policy should be updated?). And then the >> flow >> from repository.apache.org to MC and elsewhere only contains the compiled >> jars, source jars, poms, and sometimes accompanying xml artifacts or zips. >> >> On 3 December 2016 at 12:14, Gary Gregory <garydgreg...@gmail.com> wrote: >> >> > On Dec 3, 2016 9:34 AM, "Charles Honton" <c...@honton.org> wrote: >> > > >> > > To follow up the thread on releasing parent 42 and exactly what needs >> to >> > signed, etc. I’ve researched asf release policy. Here’s the gist: >> > > >> > > 1. Every ASF release must contain a source package, which must be >> > sufficient for a user to build and test the release provided they have >> > access to the appropriate platform and tools. < >> > http://www.apache.org/dev/release#what-must-every-release-contain> >> > > >> > > 2. A release isn't 'released' until the contents are in the project's >> > distribution directory, which is a subdirectory of www.apache.org/dist/ >> < >> > http://www.apache.org/dev/release#where-do-releases-go>. >> > > >> > > 3. Every artifact distributed to the public through Apache channels >> MUST >> > be accompanied by one file containing an OpenPGP compatible ASCII >> armored >> > detached signature and another file containing an MD5 checksum. < >> > https://www.apache.org/dev/release-distribution.html#sigs-and-sums> >> > > >> > > What do we consider the source package for our releases? >> > > Are the xxx-sources.jar, xxx-test-sources.jar, and pom sufficient to >> > build and test the release? >> > >> > Nope. A sources jar is a convenience for IDEs, it usually does not >> contain >> > build scripts and such. I am AFK so I am hoping someone can provide an >> > example. >> > >> > > Is the zip/gz just a convenience and is it still useful/required? >> > >> > That should contain almost everything that is in the repo except for >> things >> > like old files like proposal.html. >> > >> > > Or is it the reverse, the zip/gz is the release and the jars are the >> > convenience distributions? >> > >> > Yep. The release are the zip/gz sources. All binaries are conveniences. >> > Granted that without a Maven Central jar release, a component is not >> easy >> > to reuse. >> > >> > Gary >> > >> > > >> > > regards, >> > > chas >> > >> >> >> >> -- >> Matt Sicker <boa...@gmail.com> >> > > > > -- > E-Mail: garydgreg...@gmail.com | ggreg...@apache.org > Java Persistence with Hibernate, Second Edition > <https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8> > > <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459> > JUnit in Action, Second Edition > <https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22> > > <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021> > Spring Batch in Action > <https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> > <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951> > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459> JUnit in Action, Second Edition <https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021> Spring Batch in Action <https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
