Or send a script that properly downloads all the artifacts from nexus and svn, and computes all the md5 checksums, sha512s, and gpg signatures all the while scanning across the directory structure. I spent over 80 hours on my script so that I have time to validate releases.
-Tompkins > On Apr 30, 2026, at 1:09 PM, Rob Tompkins <[email protected]> wrote: > > There are too many modules. Either make the modules worthy of top level > projects or condence them I can not reasonably verify all the signatures of > all of the artifacts. > > -Tompkins > >> On Apr 27, 2026, at 6:58 AM, Alex Herbert <[email protected]> wrote: >> >> We have fixed quite a few bugs and added some significant enhancements >> since Apache Commons Statistics 1.2 was released, >> so I would like to release Apache Commons Statistics 1.3. >> >> Apache Commons Statistics 1.3 RC1 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1 (svn >> revision 84131) >> >> The Git tag commons-statistics-1.3-RC1 commit for this RC is >> commons-statistics-1.3-RC1, which you can browse here: >> >> https://gitbox.apache.org/repos/asf?p=commons-statistics.git;a=commit;h=commons-statistics-1.3-RC1 >> >> You may checkout this tag using: >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 >> >> Maven artifacts are here: >> >> https://repository.apache.org/content/repositories/orgapachecommons-1933/org/apache/commons/ >> >> These are the artifacts and their hashes: >> >> #Release SHA-512s >> #Mon Apr 27 11:43:04 BST 2026 >> commons-statistics-1.3-bin.tar.gz=e49b6d8f20a23995e38f92b2635398adf08683f27b7045590dd3eb717eac6f4a9f02969b2ca52998afc178ad5547ae5fbb5784d4874fd8ffe2a99a86000767ff >> commons-statistics-1.3-bin.zip=53e30beae556be7d7d73a9b244519695eaa7e041119953d6c9b34bafc7cd7edbf31ca79c1936539bddf71de3a510bb363249580d7f9477a2fc0d27e48c4e9ed5 >> commons-statistics-1.3-src.tar.gz=441f94f072eb43e070843ea254ad7b907a1b8c3ea5213e0210801a989c7376e5fb9d840cbe6260bc13d3b16d2dc80b4d14e3edd1088e16b6fe906c2b216c792a >> commons-statistics-1.3-src.zip=b7259bbc4f576050b05a1e9e327a5a862a9eeb1c51ae9f6a92116f95828a2da642807517af1ad893e25203284ac2f205ecfe42c66f2c64aaff72cebc4ad36ccb >> >> I have tested this with 'mvn clean install' and 'mvn clean install site >> site:stage -Pexamples' using: >> >> Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) >> Maven home: /Users/ah403/mvn/mvn >> Java version: 11.0.29, vendor: Eclipse Adoptium, runtime: >> /Library/Java/JavaVirtualMachines/temurin-11.jdk/Contents/Home >> Default locale: en_GB, platform encoding: UTF-8 >> OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" >> >> Details of changes since 1.2 are in the release notes: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/RELEASE-NOTES.txt >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/changes.html >> >> Site: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/index.html >> (note some *relative* links are broken and the 1.3 directories are not >> yet created - these will be OK once the site is deployed.) >> >> JApiCmp Report: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-descriptive/japicmp.html >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-distribution/japicmp.html >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-inference/japicmp.html >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-interval/japicmp.html >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-ranking/japicmp.html >> >> RAT Report: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/rat-report.html >> >> KEYS: >> https://downloads.apache.org/commons/KEYS >> >> Please review the release candidate and vote. >> This vote will close no sooner than 72 hours from now. >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thank you, >> >> Alex Herbert, >> Release Manager (using key BC87A3FD0A54480F0BADBEBD21939FF0CA2A6567) >> >> The following is intended as a helper and refresher for reviewers. >> >> Validating a release candidate >> ============================== >> >> These guidelines are NOT complete. >> >> Requirements: Git, Java, and Maven. >> >> You can validate a release from a release candidate (RC) tag as follows. >> >> 1a) Download and decompress the source archive from: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/source >> >> 1b) Check out the RC tag from git (optional) >> >> This is optional, as a reviewer must at least check source distributions. >> >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 >> cd commons-statistics-1.3-RC1 >> >> 2) Check Apache licenses >> >> This step is not required if the site includes a RAT report page, which you >> then must check. >> This check should be included in the default Maven build, but you can check >> it with: >> >> mvn apache-rat:check >> >> 3) Check binary compatibility >> >> This step is not required if the site includes a JApiCmp report page, which >> you then must check. >> This check should be included in the default Maven build, but you can check >> it with: >> >> mvn verify -DskipTests -P japicmp japicmp:cmp >> >> 4) Build the package >> >> This check should be included in the default Maven build, but you can check >> it with: >> >> mvn -V clean package >> >> You can record the Maven and Java version produced by -V in your VOTE reply. >> To gather OS information from a command line: >> Windows: ver >> Linux: uname -a >> >> 4b) Check reproducibility >> >> To check that a build is reproducible, run: >> >> mvn clean verify artifact:compare -DskipTests -Dreference.repo= >> https://repository.apache.org/content/repositories/staging/ >> '-Dbuildinfo.ignore=*/*.spdx.json' >> >> Note that this excludes SPDX files from the check. >> >> 5) Build the site for a multi-module project >> >> mvn site >> mvn site:stage >> Check the site reports in: >> - Windows: target\site\index.html >> - Linux: target/site/index.html >> >> Note that the project reports are created for each module. >> Modules can be accessed using the 'Project Modules' link under >> the 'Project Information' menu (see <path-to-site>/modules.html). >> >> -the end- > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
