On 10/12/06, Daniel Kulp <[EMAIL PROTECTED]> wrote:
2) The release process - I honestly think Maven does this "wrong." At least for incubator projects, we need to do the tagging/build/signing/etc.. first, then vote on the resulting binaries. This definitely doesn't seem to be what maven is doing. They seem to vote on the "state of the code in the repository", then do the release steps. I think it would be good if the processes that were used could act as an example, especially for the incubator folks that are learning.
FWIW, we've struggled with this in Struts and MyFaces, where we want to vote on the *exact* artifacts that will be distributed. For the recent MyFaces release, I staged it all under people.apache.org/builds, then copied it over to www.apache.org/dist and m2-ibiblio-rsync repository after final TCK run and vote. (Now the repository metadata is wrong, but it can be reconstructed from the contents of the repository if necessary.)
My (somewhat wacky idea) might be to add a "release:stage" that would do ALL the release steps, but to a "staging area" (apache home directory or similar, maybe need a "staging" section to the distributionManagement section of the pom) that the project could vote on, then another release goal to copy the staging to the real "release" area if/when the vote passes.
I call this 'promoting a build'. It could be useful for more than releases, it's just copying artifacts from one repository to another while preserving the metadata. At one point I think Brett said it might be a feature for Archiva.
3) Signing/deploying - this is another area that maven doesn't seem to "help" too much. Everyone seems to run deploy/release, then login to the people.apache.org and run a script over the directory to do the signing.
We're not supposed to put keys on ASF hardware, so the signing must be done locally.
Actually, the Maven project doesn't seem to do it at all sometimes. The javadoc plugin did get signed, but the new clover one did not. However, the new maven-metadata.xml files got changed with javadoc, but didn't get re-signed so the .asc file does not match and thus verify fails. Kind of hard to "trust" the maven repository when the sigs fail.
The metadata files don't need to be signed, just the artifacts and poms. (According to: http://people.apache.org/repo/m2-ibiblio-rsync-repository/README.txt ) -- Wendy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
