Devs - Please see this request from Adam and do the verification step he mentions. https://dist.apache.org/repos/dist/dev/fineract/1.11.0 Which now includes the binary files he built and signed.
There's a lot involved in doing a release of an ASF project. To learn more, see also: https://infra.apache.org/release-distribution.html https://infra.apache.org/release-publishing.html I will also note that we're going to revise some of the release documents as we go along. All release practices will comply with the ASF expectations and requirements. As a note, formally, the ASF does not *require* built artifacts as part of the release, those are provided as a convenience. But, we treat the process at Fineract as important because if someone cannot verify that the build works and matches what we have in the release code, then we have something broken.... and we should not release that. Thanks Adam for assisting the "Release manager". Hopefully these notes and the documentation will help the next Release Manager. James On Fri, Feb 28, 2025 at 12:22 PM Adam Monsen <amon...@mifos.org> wrote: > We've got a 1.11.0 release candidate ready and we'd like help making sure > it's good to go. > > The maintenance/1.11 branch was created off commit 843b279 and tagged > 1.11.0. James ran ./gradlew srcDistTar to create the source tarball from > that commit. He then manually created checksum and signature files and used > svn to upload all that to > https://dist.apache.org/repos/dist/dev/fineract/1.11.0 . The srcDistTar > task took a few seconds to run. > > We couldn't get the binaryDistTar task to succeed on his computer, so I > ran that on mine. gradle binaryDistTar took 7min 5sec to run and > succeeded, but confusingly threw one NoClassDefFoundError exception. I'm > not sure if seeing this exception should block the release--please review > the attached log snippet and let me know what you think. Note that this > task was initially breaking for me--I also only got it to work from a very > clean clone. I think git clean -fdx helped with that, and perhaps also > that I manually cleaned out some gradle/maven/cargo caches I was able to > find. I could also have just done this in a fresh container or VM but it > seemed like overkill and if something is polluting a build I want to > understand what and why. Anyway, James will upload the binary, its > checksum, and signatures for same. Temporary home for these is: > > https://adammonsen.com/tmp/apache-fineract-1.11.0-binary.tar.gz > https://adammonsen.com/tmp/apache-fineract-1.11.0-binary.tar.gz.sha512 > > And here's the actual SHA-512 checksum, just in case: > 0ebe4e13d778e5d6d56f6b472e6304c17a34ebaea67742ac968ffcde2c787559442981de453b1360eb0b7adcc78a0a1fd1c6d4a3f51ed0ee18e759bfa2546992 > . That should be one 128-character hex string (in case it got broken into > separate lines somewhere along the way to your eyeballs). > > *The help I'm seeking is for PMC members to fetch and verify these > artifacts are valid*, following "Step 9: Verify Distribution Staging" > from the official docs (current-enough copy at > https://fineract.apache.org/docs/current/ ) and > https://www.apache.org/legal/release-policy.html . Additionally, my > unofficial suggestions are currently living at > https://github.com/meonkeys/fineract-asf-release-checklist/ (there's some > overlap and it's a work in progress, but I've got some good ideas there). > > I'm working on updates to the docs to reflect what worked and didn't for > us today. > > Thanks! > -Adam >
