On 9 September 2013 20:56, Stephen Connolly <stephen.alan.conno...@gmail.com> wrote: > On 8 September 2013 18:51, Jason van Zyl <ja...@tesla.io> wrote: > >> >> On Sep 8, 2013, at 1:12 PM, sebb <seb...@gmail.com> wrote: >> >> > I thought you were going to include the SCM coordinates used to create >> > the tarballs? >> > >> >> Sorry, not intentional. I forgot. >> >> > It's particularly important here, because AFAICT the SCM coordinates >> > are not present in the POM. >> > If true, then it's not possible to verify the files in the source >> tarballs. >> > >> >> I hash is always in the distribution, it's how we show where it comes from >> when you type "mvn -v". It's in the build properties in the core JAR and >> the hash in there is: >> >> c9950d777c7368e51431500c29aecf1e11e3d2c6 >> > > Is that the SHA1 of the src.zip and src.tar.gz or is it the SHA1 of the git > commit. > > What we are looking for on the vote emails is the SHA1 and MD5 of the > src.zip and src.tar.gz so that interested parties can verify that the vote > was against the source distribution that ends up in dist and central. Since > the staging repository is deleted as part of the release process, and since > what the PMC is voting on is the source bundles, we need the vote email to > specify the hashes of the source bundle *for the record*...
+1, especially "for the record" > Of course this is really easy to do as Maven helpfully uploads the hashes > to the staging repository, but since "it didn't happen if it wasn't on a > mailing list" (stephenc rolls his eyes) we need the release manager to > ensure that the vote has this required information. +1, especially "idhiiwoaml" > Note: The commit hash is really nice to have, but is not part of the > minimum set of required information, and we are trying to stick to minimum > procedure. So we don't look for that *even* if other people think we should. > Part of the due diligence that should be performed by the reviewers is to check that the source archives only contain files with the appropriate licensing. By far the easiest way to do this is to compare the source archive(s) with the SCM tag, since it is assumed that due diligence has been performed on the SCM contents. This is critical information and needs to be readily available to the reviewer, and "for the record" needs to be in the vote e-mail. Otherwise "it did not happen on the mailing list". > >> >> > Also, AFAIK, the PMC agreed to include hashes of the tarballs in vote >> e-mails? >> > >> > On 8 September 2013 14:07, Jason van Zyl <ja...@tesla.io> wrote: >> >> Hi, >> >> >> >> Here is a link to Jira with 6 issues resolved: >> >> >> https://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=10500&version=18968 >> >> >> >> Staging repo: >> >> https://repository.apache.org/content/repositories/maven-016/ >> >> >> >> The distributable binaries and sources for testing can be found here: >> >> >> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/ >> >> >> >> Specifically the zip, tarball, and source archives can be found here: >> >> >> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.zip >> >> >> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.tar.gz >> >> >> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.zip >> >> >> https://repository.apache.org/content/repositories/maven-016/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.tar.gz >> >> >> >> Vote open for 72 hours. >> >> >> >> [ ] +1 >> >> [ ] +0 >> >> [ ] -1 >> >> >> >> Thanks, >> >> >> >> The Maven Team >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > For additional commands, e-mail: dev-h...@maven.apache.org >> > >> >> Thanks, >> >> Jason >> >> ---------------------------------------------------------- >> Jason van Zyl >> Founder, Apache Maven >> http://twitter.com/jvanzyl >> --------------------------------------------------------- >> >> >> >> >> >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
