On Wed, Aug 28, 2024 at 10:29 PM PJ Fanning <fannin...@apache.org> wrote:
> https://github.com/apache/pekko/tree/v1.1.0-RC1 > Git commit ID: d1ec2243300425bca4ec1c142e32e83c2cc7c2f8 > > [x] Download links are valid. > [ ] Checksums and signatures. > [x] LICENSE/NOTICE files exist > [x] No unexpected binary files > [x] All source files have ASF headers > [x] Can compile from source > [ ] Can verify the binary build Also checked the released sources match the git commit. Running a small application against this version was fine. > To verify the binary build, please refer to: > > > https://github.com/apache/pekko-site/wiki/Pekko-Release-Process#verifying-the-binary-build > Checking the staged convenience binary jars, several 2.13 artifacts are missing the META-INF/LICENSE and META-INF/NOTICE files. I don't know how critical those are, it might not be worth aborting the release over - something to look into though. I do see more concerning inconsistencies in the 2.13 artifacts: https://arnout.engelen.eu/rb/reproducible-builds-diffoscope-output-pekko-actor_2.13-1.1.0-RC1.jar.html https://arnout.engelen.eu/rb/reproducible-builds-diffoscope-output-pekko-actor-typed_2.13-1.1.0-RC1.jar.html Aside from ordering/counting things, there seem to be actual differences in some invocations and public/private modifiers. For the Scala 3 artifacts, I only saw an instance of https://github.com/scala/scala3/issues/20496 in pekko-cluster-sharding_3-1.1.0-RC1.jar (expected) and an ordering difference in https://arnout.engelen.eu/rb/reproducible-builds-diffoscope-output-pekko-persistence_3-1.1.0-RC1.html (hopefully somehow an effect of the expected difference?). The 'functional' differences in the binary 2.13 artifacts are concerning, but look like an acceptable risk for now. I'm +0.5 for this release. Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
