I've created a ticket for the issue [1]. Someone who fully understands the release process may pick it up.
[1] https://issues.apache.org/jira/browse/IGNITE-13999 On Fri, Jan 15, 2021 at 12:01 AM Andrey Mashenkov < [email protected]> wrote: > Val, I didn't found the way to make a local deploy. So I just make > 'install'. > > Yes you are right, only source jar is signed. > Seems, we need to configure checksum plugin for signing binary jars as it > is done in Maven-parent or any other project. > > чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko < > [email protected]>: > >> Andrey, >> >> Did you try on the 2.x or 3.x? >> >> I've just tried to do the same in ignite-3, but it didn't work for me. >> I've >> updated the parent pom version to 23 and ran "mvn clean deploy >> -Papache-release". The source package is now signed with SHA512, which is >> good, but there was no effect on the JAR artifacts. As a matter of fact, I >> don't see any checksum files for them. My guess is that by default they >> are >> generated by the deploy plugin, during the upload to Maven. Here is the >> resulting staging (still MD5 and SHA1): >> https://repository.apache.org/content/repositories/orgapacheignite-1505/ >> >> Does it behave in the same way for you? >> >> -Val >> >> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov < >> [email protected]> >> wrote: >> >> > I've made "mvn clean install" with enabled "apache-release" profile and >> see >> > *.sha-512 checksum files in target directories. >> > So, upgrading to the latest apache parent looks sufficient. >> > >> > >> > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[email protected]> >> wrote: >> > >> > > Is seems that parent is already updated in >> > > https://issues.apache.org/jira/browse/IGNITE-13987 < >> > > https://issues.apache.org/jira/browse/IGNITE-13987> >> > > >> > > >> > > >> > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko < >> > > [email protected]> wrote: >> > > > >> > > > Andrey, >> > > > >> > > > This sounds even better. Can you create a ticket for this change? >> > > > >> > > > -Val >> > > > >> > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov < >> > > [email protected]> >> > > > wrote: >> > > > >> > > >> Val, >> > > >> >> > > >> I've just found Maven projects use SHA-512. >> > > >> I passed through commits and found they just switched to newer >> parent >> > > >> org.apache:apache pom. >> > > >> I've compared our current parent pom with the latest available one >> > > >> (org.apache:apache:16 vs org.apache:apache:23) >> > > >> and then found checksum-maven-plugin was added [1] somewhen in >> > between. >> > > >> >> > > >> So, seems we have to switched to newer apache pom and maybe add >> > > >> checksum-maven-plugin >> > > >> to our main pom. >> > > >> >> > > >> [1] >> > > >> >> > > >> >> > > >> > >> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a >> > > >> >> > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < >> > > >> [email protected]> wrote: >> > > >> >> > > >>> Hi Andrey, >> > > >>> >> > > >>> This indeed sounds like the cleanest way. I don't know how much >> > effort >> > > >> that >> > > >>> would be though. >> > > >>> >> > > >>> -Val >> > > >>> >> > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < >> > > >>> [email protected]> wrote: >> > > >>> >> > > >>>> Maybe, we could donate to maven plugin possibility to switch to >> > > >> SHA-512. >> > > >>>> Hopefully, a new plugin version will be released before we have >> any >> > > >>> release >> > > >>>> candidate. >> > > >>>> >> > > >>>> Is it looks like a big deal? >> > > >>>> >> > > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < >> > > >>>> [email protected]>: >> > > >>>> >> > > >>>>> Hi Ivan, >> > > >>>>> >> > > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe >> we >> > > >>> should >> > > >>>>> consider using better options in future releases. >> > > >>>>> >> > > >>>>> Do you have any ideas on how to implement this? >> > > >>>>> >> > > >>>>> -Val >> > > >>>>> >> > > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin < >> > [email protected]> >> > > >>>>> wrote: >> > > >>>>> >> > > >>>>>> Folks, >> > > >>>>>> >> > > >>>>>> Were you able to resolve this? >> > > >>>>>> >> > > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < >> > > >>>>>> [email protected]>: >> > > >>>>>>> Hi Ivan, >> > > >>>>>>> >> > > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and >> > > >>>>>>> unfortunately it looks like it only can create signatures, but >> > > >> not >> > > >>>>>>> checksums. >> > > >>>>>>> >> > > >>>>>>> -Val >> > > >>>>>>> >> > > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < >> > > >>>> [email protected]> >> > > >>>>>>> wrote: >> > > >>>>>>> >> > > >>>>>>>> Hi, >> > > >>>>>>>> >> > > >>>>>>>> I've never done this before, but it seems like we need >> > > >>>>> maven-gpg-plugin >> > > >>>>>>>> for >> > > >>>>>>>> it [1]. >> > > >>>>>>>> >> > > >>>>>>>> Algorithm configuration would look like this: >> > > >>>>>>>> <gpgArguments> >> > > >>>>>>>> <arg>--digest-algo=SHA512</arg> >> > > >>>>>>>> </gpgArguments> >> > > >>>>>>>> >> > > >>>>>>>> Maybe this will help. >> > > >>>>>>>> >> > > >>>>>>>> [1] >> > > >>>>>>>> >> > > >>>>>>>> >> > > >>>>>> >> > > >>>>> >> > > >>>> >> > > >>> >> > > >> >> > > >> > >> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html >> > > >>>>>>>> >> > > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < >> > > >>>>>>>> [email protected]>: >> > > >>>>>>>> >> > > >>>>>>>>> Igniters, >> > > >>>>>>>>> >> > > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got >> confused >> > > >>>> about >> > > >>>>>> the >> > > >>>>>>>>> requirements for checksums in Maven deployments. The Apache >> > > >>>>>> instruction >> > > >>>>>>>> [1] >> > > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in >> > > >>> favor >> > > >>>> of >> > > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still >> using >> > > >>> the >> > > >>>>>>>> MD5/SHA1 >> > > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] >> > > >>>>> contains). >> > > >>>>>>>>> >> > > >>>>>>>>> On top of that, I can't find an easy way to switch to >> another >> > > >>>>> checksum >> > > >>>>>>>>> - >> > > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files >> > > >> automatically >> > > >>>> and >> > > >>>>>>>>> doesn't seem to have any options to tweak this behavior. >> > > >>>>>>>>> >> > > >>>>>>>>> That said, I have two questions: >> > > >>>>>>>>> >> > > >>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for >> now? >> > > >>>>>>>>> 2. Is there a painless way to include SHA512 in addition >> to >> > > >>>>>>>>> MD5/SHA1? >> > > >>>>>>>>> >> > > >>>>>>>>> Can anyone shed some light on this? >> > > >>>>>>>>> >> > > >>>>>>>>> [1] >> https://infra.apache.org/release-signing.html#basic-facts >> > > >>>>>>>>> [2] >> > > >>>>>>>>> >> > > >>>>>>>>> >> > > >>>>>>>> >> > > >>>>>> >> > > >>>>> >> > > >>>> >> > > >>> >> > > >> >> > > >> > >> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ >> > > >>>>>>>>> [3] >> > > >>>>>>>> >> > > >>>> >> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html >> > > >>>>>>>>> >> > > >>>>>>>>> -Val >> > > >>>>>>>>> >> > > >>>>>>>> >> > > >>>>>>>> >> > > >>>>>>>> -- >> > > >>>>>>>> Sincerely yours, >> > > >>>>>>>> Ivan Bessonov >> > > >>>>>>>> >> > > >>>>>>> >> > > >>>>>> >> > > >>>>>> >> > > >>>>>> -- >> > > >>>>>> >> > > >>>>>> Best regards, >> > > >>>>>> Ivan Pavlukhin >> > > >>>>>> >> > > >>>>> >> > > >>>> >> > > >>> >> > > >> >> > > >> >> > > >> -- >> > > >> Best regards, >> > > >> Andrey V. Mashenkov >> > > >> >> > > >> > > >> > >> > -- >> > Best regards, >> > Andrey V. Mashenkov >> > >> > -- Best regards, Andrey V. Mashenkov
