On Fri, 1 May 2026 at 09:22, Alex Herbert <[email protected]> wrote:
> > On Thu, 30 Apr 2026 at 18:12, Rob Tompkins <[email protected]> wrote: > >> Or send a script that properly downloads all the artifacts from nexus and >> svn, and computes all the md5 checksums, sha512s, and gpg signatures all >> the while scanning across the directory structure. I spent over 80 hours on >> my script so that I have time to validate releases. >> > > I agree that manually validating can be time consuming. However we already > have software tools available to help. > > Regarding the GPG signatures the vote only concerns the 4 release > artifacts. This is no different than any other commons release regarding > verifying signatures. I believe your release helper script will validate > the source and binary distributions as it does for all other commons > releases. > > If you wish to verify the additional Maven artifacts (that are not > official part of the release) then the validating a release section now > contains this (which does not work without some caveats, see below): > > --- > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > --- > > Caveats: > > 1. The timezone must match. > 2. The JDK must match the one used for the release build. > 3. For me, I had to exclude other SPDX files. > > This works on a different machine to the one I used for a release: > > # Use JDK 11 > export TZ="Europe/London" > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json,*/*.spdx.rdf.xml' > > Regards, > > Alex > PS. Once I fixed the timezone, I did not have to exclude the spdx.rdf.xml files. > > > >> >> -Tompkins >> >> > On Apr 30, 2026, at 1:09 PM, Rob Tompkins <[email protected]> wrote: >> > >> > There are too many modules. Either make the modules worthy of top level >> projects or condence them I can not reasonably verify all the signatures of >> all of the artifacts. >> > >> > -Tompkins >> > >> >> On Apr 27, 2026, at 6:58 AM, Alex Herbert <[email protected]> >> wrote: >> >> >> >> We have fixed quite a few bugs and added some significant enhancements >> >> since Apache Commons Statistics 1.2 was released, >> >> so I would like to release Apache Commons Statistics 1.3. >> >> >> >> Apache Commons Statistics 1.3 RC1 is available for review here: >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1 >> (svn >> >> revision 84131) >> >> >> >> The Git tag commons-statistics-1.3-RC1 commit for this RC is >> >> commons-statistics-1.3-RC1, which you can browse here: >> >> >> >> >> https://gitbox.apache.org/repos/asf?p=commons-statistics.git;a=commit;h=commons-statistics-1.3-RC1 >> >> >> >> You may checkout this tag using: >> >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git >> >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 >> >> >> >> Maven artifacts are here: >> >> >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1933/org/apache/commons/ >> >> >> >> These are the artifacts and their hashes: >> >> >> >> #Release SHA-512s >> >> #Mon Apr 27 11:43:04 BST 2026 >> >> >> commons-statistics-1.3-bin.tar.gz=e49b6d8f20a23995e38f92b2635398adf08683f27b7045590dd3eb717eac6f4a9f02969b2ca52998afc178ad5547ae5fbb5784d4874fd8ffe2a99a86000767ff >> >> >> commons-statistics-1.3-bin.zip=53e30beae556be7d7d73a9b244519695eaa7e041119953d6c9b34bafc7cd7edbf31ca79c1936539bddf71de3a510bb363249580d7f9477a2fc0d27e48c4e9ed5 >> >> >> commons-statistics-1.3-src.tar.gz=441f94f072eb43e070843ea254ad7b907a1b8c3ea5213e0210801a989c7376e5fb9d840cbe6260bc13d3b16d2dc80b4d14e3edd1088e16b6fe906c2b216c792a >> >> >> commons-statistics-1.3-src.zip=b7259bbc4f576050b05a1e9e327a5a862a9eeb1c51ae9f6a92116f95828a2da642807517af1ad893e25203284ac2f205ecfe42c66f2c64aaff72cebc4ad36ccb >> >> >> >> I have tested this with 'mvn clean install' and 'mvn clean install site >> >> site:stage -Pexamples' using: >> >> >> >> Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) >> >> Maven home: /Users/ah403/mvn/mvn >> >> Java version: 11.0.29, vendor: Eclipse Adoptium, runtime: >> >> /Library/Java/JavaVirtualMachines/temurin-11.jdk/Contents/Home >> >> Default locale: en_GB, platform encoding: UTF-8 >> >> OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" >> >> >> >> Details of changes since 1.2 are in the release notes: >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/RELEASE-NOTES.txt >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/changes.html >> >> >> >> Site: >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/index.html >> >> (note some *relative* links are broken and the 1.3 directories are >> not >> >> yet created - these will be OK once the site is deployed.) >> >> >> >> JApiCmp Report: >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-descriptive/japicmp.html >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-distribution/japicmp.html >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-inference/japicmp.html >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-interval/japicmp.html >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-ranking/japicmp.html >> >> >> >> RAT Report: >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/rat-report.html >> >> >> >> KEYS: >> >> https://downloads.apache.org/commons/KEYS >> >> >> >> Please review the release candidate and vote. >> >> This vote will close no sooner than 72 hours from now. >> >> >> >> [ ] +1 Release these artifacts >> >> [ ] +0 OK, but... >> >> [ ] -0 OK, but really should fix... >> >> [ ] -1 I oppose this release because... >> >> >> >> Thank you, >> >> >> >> Alex Herbert, >> >> Release Manager (using key BC87A3FD0A54480F0BADBEBD21939FF0CA2A6567) >> >> >> >> The following is intended as a helper and refresher for reviewers. >> >> >> >> Validating a release candidate >> >> ============================== >> >> >> >> These guidelines are NOT complete. >> >> >> >> Requirements: Git, Java, and Maven. >> >> >> >> You can validate a release from a release candidate (RC) tag as >> follows. >> >> >> >> 1a) Download and decompress the source archive from: >> >> >> >> >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/source >> >> >> >> 1b) Check out the RC tag from git (optional) >> >> >> >> This is optional, as a reviewer must at least check source >> distributions. >> >> >> >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git >> >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 >> >> cd commons-statistics-1.3-RC1 >> >> >> >> 2) Check Apache licenses >> >> >> >> This step is not required if the site includes a RAT report page, >> which you >> >> then must check. >> >> This check should be included in the default Maven build, but you can >> check >> >> it with: >> >> >> >> mvn apache-rat:check >> >> >> >> 3) Check binary compatibility >> >> >> >> This step is not required if the site includes a JApiCmp report page, >> which >> >> you then must check. >> >> This check should be included in the default Maven build, but you can >> check >> >> it with: >> >> >> >> mvn verify -DskipTests -P japicmp japicmp:cmp >> >> >> >> 4) Build the package >> >> >> >> This check should be included in the default Maven build, but you can >> check >> >> it with: >> >> >> >> mvn -V clean package >> >> >> >> You can record the Maven and Java version produced by -V in your VOTE >> reply. >> >> To gather OS information from a command line: >> >> Windows: ver >> >> Linux: uname -a >> >> >> >> 4b) Check reproducibility >> >> >> >> To check that a build is reproducible, run: >> >> >> >> mvn clean verify artifact:compare -DskipTests -Dreference.repo= >> >> https://repository.apache.org/content/repositories/staging/ >> >> '-Dbuildinfo.ignore=*/*.spdx.json' >> >> >> >> Note that this excludes SPDX files from the check. >> >> >> >> 5) Build the site for a multi-module project >> >> >> >> mvn site >> >> mvn site:stage >> >> Check the site reports in: >> >> - Windows: target\site\index.html >> >> - Linux: target/site/index.html >> >> >> >> Note that the project reports are created for each module. >> >> Modules can be accessed using the 'Project Modules' link under >> >> the 'Project Information' menu (see <path-to-site>/modules.html). >> >> >> >> -the end- >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >>
