Cancelling these two releases due to the findings from Toby.
Konrad
> On 9. Jan 2020, at 09:09, Konrad Windszus <[email protected]> wrote:
>
> Thanks for the feedback and sorry for not being diligent enough with this
> release.
>
>> On 9. Jan 2020, at 03:08, Tobias Bocanegra <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Also, I have several issues with the check:
>>
>> [ERROR] NOT OK: Tagged sources are different from those in the archive
>> Only in
>> ./target/jackrabbit-filevault-3.4.2/svn/jackrabbit-filevault-3.4.2:
>> .gitattributes
>
> I am gonna fix this.
>>
>> When I remove the . gitattributes from the checkout, I get the following
>> error:
>>
>> [ERROR] Failed to execute goal
>> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project
>> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help
>> 1]
>> [ERROR]
>>
> I cannot reproduce, can you share the report?
>>
>> Then a problem with the script itself:
>>
>> [INFO] 3. Verify checksums and signatures
>> [INFO]
>> [INFO] Verifying jackrabbit-filevault-3.4.2-src.zip...
>> gpg: assuming signed data in
>> './filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
>> gpg: Signature made Wed Jan 8 18:03:46 2020 JST
>> gpg: using RSA key D7742D58455ECC7C
>> gpg: Good signature from "Konrad Windszus <[email protected]
>> <mailto:[email protected]>>" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: B91A B7D2 121D C6B0 A61A A182 D774 2D58 455E CC7C
>> [INFO] OK: jackrabbit-filevault-3.4.2-src.zip.asc
> How do you usually sign keys?
> I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS
> <https://dist.apache.org/repos/dist/release/jackrabbit/KEYS>, is there
> anything more to do? I thought this would be enough for verification that the
> key belongs to me. Are the steps from
> https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file
>
> <https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file>
> not enough? I am wondering why this hasn't been an issue with the last
> release...
>
>>
>> So, although the verification failed, the script reports OK (same for sha1).
>> Note, after importing your key, the verification succeeds.
>>
>> ----
>> As for the plugin:
>> The 1.0.4 release notes are included:
>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md
>>
>> <https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md>
> Indeed, I am gonna fix
>>
>>
>> The the same problem with he gitattributes:
>>
>> Only in
>> ./target/filevault-package-maven-plugin-1.1.0/svn/filevault-package-maven-plugin-1.1.0/src/test/resources/test-projects/filtering-tests:
>> .gitattributes
>> [ERROR] NOT OK: Tagged sources are different from those in the archive
>>
>> ---
>>
>> So:
>>
>> -1 Do not release these packages because, the baseline check of filevault
>> fails, and the release notes in the plugin are wrong.
>>
>> Regards, Toby
>>
>>
>>> On 9 Jan 2020, at 10:42, Tobias Bocanegra <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Hi Konrad,
>>> Thanks for the releases..are the 2 releases dependent on each other?
>>> Otherwise I would create 2 vote requests
>>> In order to reduce the chance that if 1 release gets rejected, the other is
>>> also invalid.
>>>
>>> Regards, Toby
>>>
>>>> On 8 Jan 2020, at 18:50, Konrad Windszus <[email protected]
>>>> <mailto:[email protected]>> wrote:
>>>>
>>>> Hi,
>>>> A candidate for the Jackrabbit Filevault 3.4.2 release is available at:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/
>>>> <https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/>
>>>>
>>>> The release candidate is a zip archive of the sources in:
>>>>
>>>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
>>>>
>>>> <https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/>
>>>>
>>>> The SHA1 checksum of the archive is
>>>> 5a4b4714387e9195bed13aa79d2659f67958a73b.
>>>>
>>>> The command for running automated checks against this release candidate is:
>>>> $ sh check-release.sh filevault 3.4.2
>>>> 5a4b4714387e9195bed13aa79d2659f67958a73b
>>>>
>>>> A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0
>>>> release is available at:
>>>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
>>>>
>>>> <https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/>
>>>>
>>>> The release candidate is a zip archive of the sources in:
>>>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
>>>>
>>>> <https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/>
>>>>
>>>> The SHA1 checksum of the archive is
>>>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>>>>
>>>> The command for running automated checks against this release candidate is:
>>>> $ sh check-release.sh filevault-plugin 1.1.0
>>>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>>>>
>>>> A staged Maven repository for both is available for review at:
>>>> https://repository.apache.org/content/repositories/orgapachejackrabbit-1477
>>>>
>>>> <https://repository.apache.org/content/repositories/orgapachejackrabbit-1477>
>>>>
>>>> Please vote on releasing these packages
>>>> The vote is open for a minimum of 72 hours during business days and passes
>>>> if a majority of at least three +1 Jackrabbit PMC votes are cast.
>>>> The vote fails if not enough votes are cast after 1 week (5 business days).
>>>>
>>>> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and
>>>> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
>>>> [ ] -1 Do not release these packages because...
>>>>
>>>>
>>>> Thanks,
>>>> Konrad
>>>
>>
>
