On Wed, Aug 26, 2009 at 8:54 AM, Wes Wannemacher<w...@wantii.com> wrote: > On Wed, Aug 26, 2009 at 11:28 AM, Martin Cooper<mart...@apache.org> wrote: >> On Wed, Aug 26, 2009 at 7:04 AM, Wes Wannemacher<w...@wantii.com> wrote: >>> Hey, I got that email last night from the henkp bot that checks sigs, >>> after fixing up the KEYS file on people.a.o, >> >> I assume that, by "fixing up", you mean adding your own release >> signing key? The KEYS file is checked into SVN, which is where it >> should be modified. >> >> https://svn.apache.org/repos/asf/struts/maven/trunk/build/KEYS >> >> If what's on the site ever differs from what's in SVN, then that's >> very bad, because it means we could have been hacked somehow. The file >> should never be edited in place. > > Yes, the file should be modified in SVN, but our steps indicate we > should copy it out to people.a.o - > > http://struts.apache.org/2.x/docs/creating-and-signing-a-struts-21x-distribution.html#CreatingandSigningaStruts2.1.xDistribution-CreateaPGPkey > > If there is some other mechanism that should take care of this for us, > it's probably broken because my public key is in the KEYS file, but my > key never made it to the copy sitting on people.a.o, I had to push it > out there manually.
Pushing the file directly is OK. I interpreted "fixing up" as "editing", as distinct from pushing out the updated SVN version. -- Martin Cooper >> >>> I tried to check the >>> signatures as a last minute sanity check and noticed that it seems >>> like the jars that are deployed are different from the jars sitting on >>> my machine from when I ran the release... For instance - >>> >>> (on people.a.o) >>> $ shasum struts-annotations-1.0.5*.jar >>> 40e6914b9ed3988ae38d141099b8a10af7992d8f >>> struts-annotations-1.0.5-javadoc.jar >>> e9dbf458c0f445d68b71789388a8ca6df426efcb >>> struts-annotations-1.0.5-sources.jar >>> 373013015e18b6cb6ae488c6755f7824f737c958 struts-annotations-1.0.5.jar >>> >>> (on my machine) >>> $ shasum struts-annotations-1.0.5*jar >>> a0a67a32990325d06b057c59aef1e974b2669b64 struts-annotations-1.0.5.jar >>> dfa90f19763e9fa159377f0a105366735954e3f6 >>> struts-annotations-1.0.5-javadoc.jar >>> a8f2cd8275c50040f5c7d85657fcc877e54a6f66 >>> struts-annotations-1.0.5-sources.jar >>> >>> So, of course, the detached sigs are failing as well... I kind of >>> figure that it's related to the recent disk failure / restore from >>> backup, but I'm not sure whether I should just SCP the copies out >>> there or notify infra. Suggestions? >> >> If the files really are different, then we have a problem if the files >> have made it out to mirrors, since I'm not sure that the mirrors will >> pick up changed versions of the same files. You may need to check with >> infra on that. It would be good if we can figure out how this >> happened, too. I'm not sure a disk failure would cause this unless the >> files are actually corrupted (which would obviously be a major issue >> too!). >> > > Sorry, folks, false alarm, I was looking at the wrong files on my > hard-drive... Still learning maven. Apparently when you run the > release:perform, it checks everything out into target/checkout and > creates jars in target/checkout/target which are somehow slightly > different from the jars sitting in target. > > I'll keep digging, but the hashes and signatures all seem to match now. > > -Wes > > -- > Wes Wannemacher > > Head Engineer, WanTii, Inc. > Need Training? Struts, Spring, Maven, Tomcat... > Ask me for a quote! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
