You will now be infamous :-) https://github.com/jvanzyl/sebbalizer
If you don't like the name, happy to change it. I thought it was appropriate and meant as a compliment for being thorough. With a given staging URL, groupId, artifact, and version it will retrieve the source archive, and binary archive and the corresponding SHA1s and validates the SHA1s are right. It unpacks both the archives, digs into the binary archive to find the maven-core JAR to retrieve the build.properties which contains the SHA1 of the release revision from which the source archive was made. A git clone is performed and moved to the release revision. A check is performed to ensure that each file in the source archive is present in the release revision and that the SHA1 of the each file in the source archive matches the SHA1 of the file from the corresponding release revision. So for this release using the Sebbalizer I only found the DEPENDENCIES file to not exist in the release revision, every other file I consider valid and verified. I believe that for this release no errant files slipped in and it's good. People should review the code. I spent an hour on this by yanking a bunch of stuff together so it might very well have errors. I have one hardcoded url for the Git repository but I'll pull that out of the POM and then hopefully it can be used generally to validate source archives for releases. On Sep 20, 2013, at 5:40 PM, sebb <seb...@gmail.com> wrote: > On 17 September 2013 16:39, Jason van Zyl <ja...@tesla.io> wrote: >> Hi, >> >> Maven Core ITs are good, and the license/notice issue has been resolved so >> I'm rolling 3.1.1 again. >> >> Here is a link to Jira with 6 issues resolved: >> https://jira.codehaus.org/secure/ReleaseNote.jspa?projectId=10500&version=18968 >> >> Staging repo: >> https://repository.apache.org/content/repositories/maven-065/ >> >> The distributable binaries and sources for testing can be found here: >> https://repository.apache.org/content/repositories/maven-065/org/apache/maven/apache-maven/3.1.1/ >> >> Specifically the zip, tarball, and source archives can be found here: >> https://repository.apache.org/content/repositories/maven-065/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.zip >> https://repository.apache.org/content/repositories/maven-065/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-bin.tar.gz >> https://repository.apache.org/content/repositories/maven-065/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.zip >> https://repository.apache.org/content/repositories/maven-065/org/apache/maven/apache-maven/3.1.1/apache-maven-3.1.1-src.tar.gz >> >> Source release checksum(s): >> apache-maven-3.1.1-src.zip sha1: 2251357aa47129674df578e787504b72cd57ed4d > > The full scm coordinates are needed. > The pom includes the git URL and tag, but that is not immutable. > Exactly the same tag was used for the previous vote. > > To identify the source archive uniquely, additional info such as a > hash is needed, so the hash is now included in the vote e-mail. > The same applies to the SCM tag. > >> Staging site: >> http://people.apache.org/~jvanzyl/maven-3.1.1/ >> >> Vote open for 72 hours. >> >> [ ] +1 >> [ ] +0 >> [ ] -1 >> >> Thanks, >> >> The Maven Team >> Thanks, >> >> >> >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > Thanks, Jason ---------------------------------------------------------- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl ---------------------------------------------------------