Thanks for the feedback and sorry for not being diligent enough with this release.
> On 9. Jan 2020, at 03:08, Tobias Bocanegra <[email protected]> wrote: > > Also, I have several issues with the check: > > [ERROR] NOT OK: Tagged sources are different from those in the archive > Only in > ./target/jackrabbit-filevault-3.4.2/svn/jackrabbit-filevault-3.4.2: > .gitattributes I am gonna fix this. > > When I remove the . gitattributes from the checkout, I get the following > error: > > [ERROR] Failed to execute goal > org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project > org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 1] > [ERROR] > I cannot reproduce, can you share the report? > > Then a problem with the script itself: > > [INFO] 3. Verify checksums and signatures > [INFO] > [INFO] Verifying jackrabbit-filevault-3.4.2-src.zip... > gpg: assuming signed data in > './filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip' > gpg: Signature made Wed Jan 8 18:03:46 2020 JST > gpg: using RSA key D7742D58455ECC7C > gpg: Good signature from "Konrad Windszus <[email protected] > <mailto:[email protected]>>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: B91A B7D2 121D C6B0 A61A A182 D774 2D58 455E CC7C > [INFO] OK: jackrabbit-filevault-3.4.2-src.zip.asc How do you usually sign keys? I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS <https://dist.apache.org/repos/dist/release/jackrabbit/KEYS>, is there anything more to do? I thought this would be enough for verification that the key belongs to me. Are the steps from https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file <https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file> not enough? I am wondering why this hasn't been an issue with the last release... > > So, although the verification failed, the script reports OK (same for sha1). > Note, after importing your key, the verification succeeds. > > ---- > As for the plugin: > The 1.0.4 release notes are included: > https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md > > <https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md> Indeed, I am gonna fix > > > The the same problem with he gitattributes: > > Only in > ./target/filevault-package-maven-plugin-1.1.0/svn/filevault-package-maven-plugin-1.1.0/src/test/resources/test-projects/filtering-tests: > .gitattributes > [ERROR] NOT OK: Tagged sources are different from those in the archive > > --- > > So: > > -1 Do not release these packages because, the baseline check of filevault > fails, and the release notes in the plugin are wrong. > > Regards, Toby > > >> On 9 Jan 2020, at 10:42, Tobias Bocanegra <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Konrad, >> Thanks for the releases..are the 2 releases dependent on each other? >> Otherwise I would create 2 vote requests >> In order to reduce the chance that if 1 release gets rejected, the other is >> also invalid. >> >> Regards, Toby >> >>> On 8 Jan 2020, at 18:50, Konrad Windszus <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi, >>> A candidate for the Jackrabbit Filevault 3.4.2 release is available at: >>> >>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/ >>> <https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/> >>> >>> The release candidate is a zip archive of the sources in: >>> >>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/ >>> >>> The SHA1 checksum of the archive is >>> 5a4b4714387e9195bed13aa79d2659f67958a73b. >>> >>> The command for running automated checks against this release candidate is: >>> $ sh check-release.sh filevault 3.4.2 >>> 5a4b4714387e9195bed13aa79d2659f67958a73b >>> >>> A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release >>> is available at: >>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/ >>> >>> The release candidate is a zip archive of the sources in: >>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/ >>> >>> The SHA1 checksum of the archive is >>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941 >>> >>> The command for running automated checks against this release candidate is: >>> $ sh check-release.sh filevault-plugin 1.1.0 >>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941 >>> >>> A staged Maven repository for both is available for review at: >>> https://repository.apache.org/content/repositories/orgapachejackrabbit-1477 >>> >>> Please vote on releasing these packages >>> The vote is open for a minimum of 72 hours during business days and passes >>> if a majority of at least three +1 Jackrabbit PMC votes are cast. >>> The vote fails if not enough votes are cast after 1 week (5 business days). >>> >>> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and >>> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0" >>> [ ] -1 Do not release these packages because... >>> >>> >>> Thanks, >>> Konrad >> >
