I was trying to match up the git tag vs the released artifact, but didn't know a standard way of doing that. As I mentioned in the original e-mail, I wasn't sure if what I did was correct, but it was sufficient for my purposes since it helped me find the discrepancy.
Running diff -rq on the untared release artifact and the source as of the git tag sounds sufficient. It sounds like I can get the source as of the git tag either via git archive or via maven, since they produce the same tree, as you mentioned. If someone knows a better way, I'd love to hear it. FWIW I chose "git archive" rather than mvn because we are doing a source release and git understands what is source. Invoking mvn seemed like a "bad" idea, because: 1) it invokes the build, but we are doing a source release that should be independent of the build. 2) it will pull in files that are not in the source, e.g. the .iml files generated by eclipse or even files generated via the build itself I see that the how-to-release page lists using mvn to generate the source artifact (https://cwiki.apache.org/confluence/display/SENTRY/How+to+Release), but for the reasons above it seems like we should replace this with using git archive. Thoughts? Greg On Mon, Apr 28, 2014 at 11:51 AM, Sravya Tirukkovalur <[email protected]>wrote: > On Mon, Apr 28, 2014 at 11:32 AM, Sravya Tirukkovalur > <[email protected]>wrote: > > > > > > > > > On Mon, Apr 28, 2014 at 9:15 AM, karthik ramachandran < > > [email protected]> wrote: > > > >> All, > >> > >> To fix the discrepancies between what is in the RC and the tag, I > pulled a > >> fresh version of code from git and ran: > >> > >> git checkout release-1.3.0-rc2 > >> mvn package -DskipTests > >> > >> I then re-signed and created new hashes for the resulting gzip and > >> uploaded > >> those artifacts to > >> http://people.apache.org/~kramachandran/sentry-1.3.0-rc2/ > >> > >> When I run diff -r incubator-sentry/ apache-sentry-1.3.0-incubating-src/ > >> the diff comes back clean. In this case incubator-sentry is yet another > >> clean pull of the release-1.3.0-rc2 tag (sha > >> : 31c8aca46c060685bd5a01f7706e2adab78a20d8); and > >> apache-sentry-1.3.0-incubating-src is the uncompressed version of the > tar > >> built in the previous step. > >> > >> However, when I try to generate a tar using git archive --format=tar > >> --prefix=apache-sentry-1.3.0-incubating-src/ HEAD | gzip > > >> apache-sentry-1.3.0-incubating.tar.gz the resulting sha does not match > the > >> sha of the artifact generated by maven. When I unzip the resulting tar > and > >> diff it with the tar generated by maven the diff does come back clean. > >> Does anyone have any thoughts on what I might be doing wrong here? > >> > >> > > I verified that the sha1 and md5 are different for tar.gz produced by > > maven versus git archive, although the contents are the same if I untar > the > > artifacts(diff -rq). My guess is they compress differently? @Greg, is > there > > a reason you used git archive rather than maven package? > > > > Ah never mind, checksums will be different for two different tar balls, > even if they are made from the same source. So we shouldn't really be > comparing checksums of two different tar balls to make sure their contents > match. Although we need to make sure the SHA and MD5 specified in the > release candidate match with SHA/MD5 of the tar. Does that sound right, > @Patrick, @Greg? > > > Also, as matter of voting protocol do we need to call a new vote or can we > >> continue to leave the existing vote open? > >> > >> Thanks, > >> Karthik > >> > >> > >> > >> On Fri, Apr 25, 2014 at 10:24 AM, Joe Brockmeier <[email protected]> > wrote: > >> > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > On 04/21/2014 11:33 PM, Patrick Hunt wrote: > >> > > I think Greg is right. It mostly looks good however there are a > >> > > number of significant differences between what's in the rc and > >> > > what's in the tag. Here's the diff output btw the untar'd rc and > >> > > what's in the tag in git (mostly iml files, but also some > >> > > directories, e.g. sentry-provider-db). > >> > > > >> > > I'm -1 at the moment. > >> > > >> > I've been hoping for some feedback from the release manager on these > >> > questions before proceeding to review the artifacts. Any progress, > >> > Karthik? > >> > > >> > Best, > >> > > >> > jzb > >> > - -- > >> > Joe Brockmeier > >> > [email protected] > >> > Twitter: @jzb > >> > http://www.dissociatedpress.net/ > >> > -----BEGIN PGP SIGNATURE----- > >> > Version: GnuPG v1 > >> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >> > > >> > iQEcBAEBAgAGBQJTWpppAAoJEKbW5zOgIHzUHfEH/3sSme6MLfTkU76fNJ4YKnFH > >> > Tlz6GCF+BrXruM+NRn1YtmaypM/briZK+pa9OIiH5kVNJ4w59VXgxQP8RPUnyAcm > >> > u7ZETekt6ioM8hUX71s/b7GPXceAhA6ZW3nzZSMbntdONsacjRMkwiCJ3Fz5buL8 > >> > fmfx8ew0Zt7qrOYus0liwHZuE6CoTCu/a1nTTFZBPGpUr8ArsirO6mvcffK4YMX6 > >> > /p6zAZgoOB1cc9bzQcdaMT79Hg7671HVsArY2I8XeG+g6kSPVYCsonDL/Kw1VHZw > >> > i41BulVIj/NU0HmPGRn65HIwdQHqbrakGjbVl9z9lCkyQ1QDtcVvUIj5B6iuabk= > >> > =nA9Z > >> > -----END PGP SIGNATURE----- > >> > > >> > >> > >> > >> -- > >> Karthik Ramachandran > >> Mobile: 412-606-8981 > >> > > > > > > > > -- > > Sravya Tirukkovalur > > > > > > -- > Sravya Tirukkovalur >
