This vote has been canceled to address the issues in this thread.
On Mon, Apr 28, 2014 at 12:26 PM, Sravya Tirukkovalur <[email protected]>wrote: > Thanks Greg! > > On Mon, Apr 28, 2014 at 12:06 PM, Gregory Chanan <[email protected] > >wrote: > > > I was trying to match up the git tag vs the released artifact, but didn't > > know a standard way of doing that. As I mentioned in the original > e-mail, > > I wasn't sure if what I did was correct, but it was sufficient for my > > purposes since it helped me find the discrepancy. > > > > Running diff -rq on the untared release artifact and the source as of the > > git tag sounds sufficient. It sounds like I can get the source as of the > > git tag either via git archive or via maven, since they produce the same > > tree, as you mentioned. If someone knows a better way, I'd love to hear > > it. > > > > I use diff -rq as well and seems to work fine. But would love to hear if > there is a standard way. > > > > FWIW I chose "git archive" rather than mvn because we are doing a source > > release and git understands what is source. Invoking mvn seemed like a > > "bad" idea, because: > > 1) it invokes the build, but we are doing a source release that should be > > independent of the build. > > 2) it will pull in files that are not in the source, e.g. the .iml files > > generated by eclipse or even files generated via the build itself > > I see that the how-to-release page lists using mvn to generate the source > > artifact ( > > https://cwiki.apache.org/confluence/display/SENTRY/How+to+Release), > > but for the reasons above it seems like we should replace this with using > > git archive. > > > > > I agree that, we should use git archive instead, as we are only releasing > src artifacts. Unless there was a reason for using maven to generate src > artifacts. > > > > Thoughts? > > Greg > > > > > > > I think we should update the sentry how to release page. Also having a > voting checklist would help. So that the release manager and the voters > have one way of verifying things. > > > > On Mon, Apr 28, 2014 at 11:51 AM, Sravya Tirukkovalur > > <[email protected]>wrote: > > > > > On Mon, Apr 28, 2014 at 11:32 AM, Sravya Tirukkovalur > > > <[email protected]>wrote: > > > > > > > > > > > > > > > > > > > On Mon, Apr 28, 2014 at 9:15 AM, karthik ramachandran < > > > > [email protected]> wrote: > > > > > > > >> All, > > > >> > > > >> To fix the discrepancies between what is in the RC and the tag, I > > > pulled a > > > >> fresh version of code from git and ran: > > > >> > > > >> git checkout release-1.3.0-rc2 > > > >> mvn package -DskipTests > > > >> > > > >> I then re-signed and created new hashes for the resulting gzip and > > > >> uploaded > > > >> those artifacts to > > > >> http://people.apache.org/~kramachandran/sentry-1.3.0-rc2/ > > > >> > > > >> When I run diff -r incubator-sentry/ > > apache-sentry-1.3.0-incubating-src/ > > > >> the diff comes back clean. In this case incubator-sentry is yet > > another > > > >> clean pull of the release-1.3.0-rc2 tag (sha > > > >> : 31c8aca46c060685bd5a01f7706e2adab78a20d8); and > > > >> apache-sentry-1.3.0-incubating-src is the uncompressed version of > the > > > tar > > > >> built in the previous step. > > > >> > > > >> However, when I try to generate a tar using git archive > --format=tar > > > >> --prefix=apache-sentry-1.3.0-incubating-src/ HEAD | gzip > > > > >> apache-sentry-1.3.0-incubating.tar.gz the resulting sha does not > match > > > the > > > >> sha of the artifact generated by maven. When I unzip the resulting > tar > > > and > > > >> diff it with the tar generated by maven the diff does come back > clean. > > > >> Does anyone have any thoughts on what I might be doing wrong here? > > > >> > > > >> > > > > I verified that the sha1 and md5 are different for tar.gz produced by > > > > maven versus git archive, although the contents are the same if I > untar > > > the > > > > artifacts(diff -rq). My guess is they compress differently? @Greg, is > > > there > > > > a reason you used git archive rather than maven package? > > > > > > > > Ah never mind, checksums will be different for two different tar > balls, > > > even if they are made from the same source. So we shouldn't really be > > > comparing checksums of two different tar balls to make sure their > > contents > > > match. Although we need to make sure the SHA and MD5 specified in the > > > release candidate match with SHA/MD5 of the tar. Does that sound right, > > > @Patrick, @Greg? > > > > > > > > > Also, as matter of voting protocol do we need to call a new vote or can > > we > > > >> continue to leave the existing vote open? > > > >> > > > >> Thanks, > > > >> Karthik > > > >> > > > >> > > > >> > > > >> On Fri, Apr 25, 2014 at 10:24 AM, Joe Brockmeier <[email protected]> > > > wrote: > > > >> > > > >> > -----BEGIN PGP SIGNED MESSAGE----- > > > >> > Hash: SHA1 > > > >> > > > > >> > On 04/21/2014 11:33 PM, Patrick Hunt wrote: > > > >> > > I think Greg is right. It mostly looks good however there are a > > > >> > > number of significant differences between what's in the rc and > > > >> > > what's in the tag. Here's the diff output btw the untar'd rc and > > > >> > > what's in the tag in git (mostly iml files, but also some > > > >> > > directories, e.g. sentry-provider-db). > > > >> > > > > > >> > > I'm -1 at the moment. > > > >> > > > > >> > I've been hoping for some feedback from the release manager on > these > > > >> > questions before proceeding to review the artifacts. Any progress, > > > >> > Karthik? > > > >> > > > > >> > Best, > > > >> > > > > >> > jzb > > > >> > - -- > > > >> > Joe Brockmeier > > > >> > [email protected] > > > >> > Twitter: @jzb > > > >> > http://www.dissociatedpress.net/ > > > >> > -----BEGIN PGP SIGNATURE----- > > > >> > Version: GnuPG v1 > > > >> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > >> > > > > >> > iQEcBAEBAgAGBQJTWpppAAoJEKbW5zOgIHzUHfEH/3sSme6MLfTkU76fNJ4YKnFH > > > >> > Tlz6GCF+BrXruM+NRn1YtmaypM/briZK+pa9OIiH5kVNJ4w59VXgxQP8RPUnyAcm > > > >> > u7ZETekt6ioM8hUX71s/b7GPXceAhA6ZW3nzZSMbntdONsacjRMkwiCJ3Fz5buL8 > > > >> > fmfx8ew0Zt7qrOYus0liwHZuE6CoTCu/a1nTTFZBPGpUr8ArsirO6mvcffK4YMX6 > > > >> > /p6zAZgoOB1cc9bzQcdaMT79Hg7671HVsArY2I8XeG+g6kSPVYCsonDL/Kw1VHZw > > > >> > i41BulVIj/NU0HmPGRn65HIwdQHqbrakGjbVl9z9lCkyQ1QDtcVvUIj5B6iuabk= > > > >> > =nA9Z > > > >> > -----END PGP SIGNATURE----- > > > >> > > > > >> > > > >> > > > >> > > > >> -- > > > >> Karthik Ramachandran > > > >> Mobile: 412-606-8981 > > > >> > > > > > > > > > > > > > > > > -- > > > > Sravya Tirukkovalur > > > > > > > > > > > > > > > > -- > > > Sravya Tirukkovalur > > > > > > > > > -- > Sravya Tirukkovalur > -- Karthik Ramachandran Mobile: 412-606-8981
