On Tue, Feb 23, 2016 at 02:50:37PM +1100, Justin Mclean wrote: > Hi, > > Sorry but it’s -1 (binding) from me. > > To be clear that doesn’t stop other people voting +1, and if you get > 3+1 you can still put it up on the IPMC general list for a vote. > You’re also welcome to try and change my mind, anyone can change their > vote after initial voting. All the -1 means is I wouldn’t release it, > but what makes a release good enough quality to release is going to > vary form person to person an that’s all OK.
I think it is best to correct the issues you spotted, rather than try to release something with known noncompliances. > I checked: > - release artefacts are missing incubating from their names [1][2] > - missing DISCLAIMER in release artefacts [3] > - NOTICE good but missing original developer (runtime) > - newt doesn’t have a REAME at the top level > - not sure how to compile the source repos - some instruction on this in the > releases would be nice OK, we will fix all the above (I snipped the criteria that you thought looked OK). > > How were the hashes generated? > > I’m seeing this: > $ openssl sha1 larva-0.8.0-b1.tgz > SHA1(larva-0.8.0-b1.tgz)= 99b15843d0a5af3f3d7dbdcb52afb80144ee1255 > $ cat larva-0.8.0-b1.tgz.sha > /Users/ccollins/tmp/rel/bin/larva-0.8.0-b1.tgz: > 51915329 EE9E17F8 7517C2B6 1C99268B 9AAA478D 2C85AA0B B036276D 4B980A11 > 9BE18DEB > 471E762A A80CB4D5 7478390E 60A0EAE1 0481F723 5FFE83A8 6990D700 These are actually generated using sha512: gpg2 --print-md SHA512 larva-0.8.0-b1.tgz > larva-0.8.0-b1.tgz.sha Apparently gpg2 inserts the source file path in the SHA output. I agree that that is not the most helpful behavior, but I hadn't noticed it. However, "compliance rocks" OKed the SHAs, and the above command is actually what is recommended by Apache release signing page (http://www.apache.org/dev/release-signing.html#sha-checksum), so this might not be an issue. That said, it is probably more user-friendly to remove the filename, so I will do that this next time. > Some possible improvements: > - Re naming it's a good idea to add apache to the name as well as I > believe it gives some extra legal protection / shows it’s an apache > product. > - It a good idea to sign the artefacts with an apache email address. > > Thanks, > Justin > > 1. http://incubator.apache.org/guides/releasemanagement.html#naming > 2. http://incubator.apache.org/incubation/Incubation_Policy.html#Releases > (note the word MUST) > 3. http://incubator.apache.org/guides/releasemanagement.html#check-list
