On 10.11.2013 00:56, Jeremy Boynes wrote: > I'd like to release Apache Tomcat Standard Taglib 1.2.0. > > This would be the first release in many years, and the first release of an > implementation of JSTL 1.2. > > Maven Staging Repository: > https://repository.apache.org/content/repositories/orgapachetomcat-110 > > Source Distribution: > https://repository.apache.org/content/repositories/orgapachetomcat-110/org/apache/taglibs/taglibs-standard/1.2.0/ > > SVN tag: > https://svn.apache.org/repos/asf/tomcat/taglibs/standard/tags/taglibs-standard-1.2.0 > @ r1540426 > > KEYS: https://svn.apache.org/repos/asf/tomcat/trunk/KEYS > > The proposed 1.2.0 release is" > [X] Broken - do not release > [] OK - release as 1.2.0
Don't panic, the only show stopper I saw was that likely your javadoc is vulnerable for CVE-2013-1571. This should be trivially fixable by building/releasing with a more current JDK 7 (anything newer than 1.7.0_21, which is exactly the one your were using). Or update to maven javadoc plugin 2.9.1. The current tag of the Apache parent pom still references 2.9, only trunk is at 2.9.1. See: http://jira.codehaus.org/browse/MJAVADOC-370 https://issues.apache.org/jira/browse/MPOM-46 I have a couple of additional remarks though, all based on a very formal test of the release. Most should be trivial to fix, so if you start another release cycle, it would be nice to get rid of some of them. I haven't actually used the artefacts. Overview: - MD5 and SHA1 OK - signatures OK - key in KEYS file - src zip consistent with svn tag - builds fine - build result looks consistent with binaries - some exceptions, see below - no checkstyle complaints - no Javadoc warnings - No unit test failures Build and tests were done using Maven 2.2.1 and Java 1.7.0_45. OS was Solaris 10 Sparc. Room for improvement: - main pom.xml contains a snippet: <distributionManagement> <site> <id>apache.website</id> <name>Apache Website</name> <url>scpexe://people.apache.org/www/tomcat.apache.org/taglibs/standard-${project.version}/</url> </site> </distributionManagement> Is it correct to publish a people.apache.org URL here? - Building README_src.txt tells us to run $ mvn install <-- builds all targets and installs in local repository $ mvn clean <-- removes all build artifacts $ mvn release <-- builds all targets and releases to staging repo but I get an error for "mvn release": Invalid task 'release': you must specify a valid lifecycle phase, or a goal in the format plugin:goal or pluginGroupId:pluginArtifactId:pluginVersion:goal I actually wasn't able to recreate the release including zip and hash files. Using "mvn install" and then also "mvn source:jar" and "mvn javadoc:jar" I could recreate the jar files though. It would be nice to document how to create the release zip. - README_src.txt Contains: "There are four sub-modules: ...", the 5th module "build-tools" is not mentioned. - README_src.txt starts with --------------------------------------------------------------------------- Apache Standard Tag Library 1.2 -- SOURCE DISTRIBUTION --------------------------------------------------------------------------- but README_bin.txt with --------------------------------------------------------------------------- Standard Tag Library 1.1 -- BINARY DISTRIBUTION --------------------------------------------------------------------------- different name and version. - README_bin.txt The section "COMPATIBILITY" tells us: "The 1.1 version of the Standard Taglib has been tested under Tomcat 5.0.3 and should work in any compliant JSP 2.0 container." Should we update to something like "tested under Tomcat 6, 7 and 8" - if it were true? And we are now at 1.2 instead of 1.1. - README_bin.txt "LIBRARY DEPENDENCIES" talks about Java 1.4.2, although Java is needed. The convenience directory lib/old-dependencies is mentioned, although it doesn't seem to exist. It seems the whole section should be reviewed in light of the updated requirements and release process. It also mentions several times the non longer existing URL http://java.sun.com/products/jwsdp. Finally the section talks about "WAR Files" standard-doc.war and standard-examples.war which I didn't manage to create and are not in the repo. - NOTICE Contains somewhat inconsistent project names: Apache Tomcat Standard Taglib Apache Standard Taglib Apache Standard Taglib 1.0 Compatibility Apache Standard Taglib 1.0 EL Support Apache Standard Taglib Build Tools Apache Standard Taglib Implementation Apache Standard Taglib Specification API Only the top level one contains the name part "Tomcat". I don't know, which name is right, but it seems inconsistent. - DEPENDENCIES Similar to NOTICE, if the names get changed, should change here to: Apache Standard Taglib Apache Standard Taglib 1.0 Compatibility Apache Standard Taglib 1.0 EL Support Apache Standard Taglib Build Tools Apache Standard Taglib Implementation Apache Standard Taglib Specification API and - Apache Standard Taglib Implementation (http://tomcat.apache.org/taglibs/standard-1.2.0/taglibs-standard-impl) org.apache.taglibs:taglibs-standard-impl:bundle:1.2.0 - Apache Standard Taglib Specification API (http://tomcat.apache.org/taglibs/standard-1.2.0/taglibs-standard-spec) org.apache.taglibs:taglibs-standard-spec:bundle:1.2.0 - Servlet 2.4 vs. 2.5 README_bin.txt and standard-test/src/main/webapp/WEB-INF/web.xml refer to servlet 2.4, but the pom files and src/site/xdoc/index.xml refer to Servlet 2.5. - changes.xml: Contains <release version="1.2.0" date="Unreleased" description="JSTL 1.2 implementation in the making"/> Should that be adjusted pre-release? - Comparing my build with your build - I can't create the zip file - I can't create the war file(s) - the created jars do not contain NOTICE, LICENSE and DEPENDENCIES files in META-INF. They are there in the original release artefact jars though. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
