It seems, we are already providing SHA256/SHA512 checksums for newer releases. To rephrase my comment: If we would switch to Maven repository links instead, we would need to upgrade the parent project in order to deploy SHA256/SHA512 to Maven repositories.
Other question: - How to deploy changes conducted in https://github.com/apache/tomee-site-generator ? The documentation is outdated and I have no idea of the steps required to get the changes "live". If someone can explain the process, I am happy to update the documentation as well. Gruss Richard Am Mittwoch, den 24.03.2021, 08:40 +0100 schrieb Richard Zowalla: > Hi, > > wanted to raise attention on this mail again: > > I have merged the "manual" changes to add the missing links to the > .asc > files of the release download page. > > In this process, I discovered, that we are not using the Downloads > generator class [2] anymore. My questions is: > > Did we switch on purpose from Maven repository links (for the > binaries) > towards mirror links? (just want to catch up on this) > > In addition, we might need to provide SHA256/SHA512 checksums for new > artifacts by INFRA release policies [3]. This might require to > upgrade > the ASF parent project, see [4]. > > Gruss, > Richard > > [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-2975 > [2] > https://github.com/apache/tomee-site-generator/blob/master/src/main/java/org/apache/tomee/website/Downloads.java > [3] https://infra.apache.org/release-distribution.html > [4] https://issues.apache.org/jira/browse/MPOM-205 > > Am Dienstag, den 09.03.2021, 09:30 +0100 schrieb Richard Zowalla: > > Hi all, > > > > INFRA created two tasks related to our releases on Jira [1,2]. > > > > To address [1], I created a PR [3] on the tomee-site-generator > > project. > > Romain had some feedback on it and we discovered, that we changed > > the > > release links from Maven repositories links towards Mirror links. > > > > My PR is a manual fix to address the concerns raised by INFRA > > related > > to missing links to the .asc files. I also added instructions on > > how > > to > > check the integrity of the provided release files. > > > > However, I think, that we should discuss the approach in general, > > ie. > > which kind of binaries are deployed via the mirroring system and > > which > > binaries are provided via Maven repositories. This is also relevant > > in > > terms of [2] as INFRA has requested to delete non active versions > > from > > the mirroring system. > > > > The problem with the mirroring system might be, that the current > > process seems to be of "manual" nature (?) while the "old" process > > (via > > Downloads.java) generated (and verified) the download links for > > copy&paste them into the "download-ng.adoc". > > > > Wdyt? > > > > Gruss, > > Richard > > > > [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-2975 > > [2] https://issues.apache.org/jira/browse/TOMEE-1096 > > [3] https://github.com/apache/tomee-site-generator/pull/21 > >
signature.asc
Description: This is a digitally signed message part