Thanks or pushing this back up to the top. Some thoughts below. > On Mar 24, 2021, at 12:46 AM, Richard Zowalla <r...@apache.org> wrote: > > It seems, we are already providing SHA256/SHA512 checksums for newer > releases. To rephrase my comment: If we would switch to Maven > repository links instead, we would need to upgrade the parent project > in order to deploy SHA256/SHA512 to Maven repositories.
I'm curious what others think, but to me it would seem the best source to point at for the signatures is something on apache.org. I completely understand how having the mirror be the source of signatures to verify files on the mirror completely defeats the point :) The most natural source for me would be linking signatures back to the mirror source which is https://dist.apache.org/repos/dist/release/tomee/ > - How to deploy changes conducted in > https://github.com/apache/tomee-site-generator ? > > The documentation is outdated and I have no idea of the steps required > to get the changes "live". If someone can explain the process, I am > happy to update the documentation as well. Thank you in advance for the help! When David and I did work here we didn't really document outside the list conversations. The short version is if you push modified html to this repo, it shows up live eventually: - https://github.com/apache/tomee-site-pub You can regenerate the site with a `mvn compile` as mentioned here: - https://github.com/apache/tomee-site-generator#build The documentation says "you just need to sync it with CMS repo", but doesn't give details. We used to do that with this class: - https://github.com/apache/tomee-site-generator/blob/master/src/main/java/org/apache/tomee/website/SvnPub.java Now we're on Git and probably need a new version of that that uses JGit to commit the new HTML. We could actually setup an automated process for publishing the site in Jenkins. My last research on that is here: - https://lists.apache.org/thread.html/r6885ad10294a0e6d9c3ad2552dfe9a04239ac4dd77f15be4da9bcfff%40%3Cdev.tomee.apache.org%3E On the download page itself, I have a handful of thoughts so I'll put those in a new thread. Thank you so much for having energy to look into all of this!! -David > Am Mittwoch, den 24.03.2021, 08:40 +0100 schrieb Richard Zowalla: >> Hi, >> >> wanted to raise attention on this mail again: >> >> I have merged the "manual" changes to add the missing links to the >> .asc >> files of the release download page. >> >> In this process, I discovered, that we are not using the Downloads >> generator class [2] anymore. My questions is: >> >> Did we switch on purpose from Maven repository links (for the >> binaries) >> towards mirror links? (just want to catch up on this) >> >> In addition, we might need to provide SHA256/SHA512 checksums for new >> artifacts by INFRA release policies [3]. This might require to >> upgrade >> the ASF parent project, see [4]. >> >> Gruss, >> Richard >> >> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-2975 >> [2] >> https://github.com/apache/tomee-site-generator/blob/master/src/main/java/org/apache/tomee/website/Downloads.java >> [3] https://infra.apache.org/release-distribution.html >> [4] https://issues.apache.org/jira/browse/MPOM-205 >> >> Am Dienstag, den 09.03.2021, 09:30 +0100 schrieb Richard Zowalla: >>> Hi all, >>> >>> INFRA created two tasks related to our releases on Jira [1,2]. >>> >>> To address [1], I created a PR [3] on the tomee-site-generator >>> project. >>> Romain had some feedback on it and we discovered, that we changed >>> the >>> release links from Maven repositories links towards Mirror links. >>> >>> My PR is a manual fix to address the concerns raised by INFRA >>> related >>> to missing links to the .asc files. I also added instructions on >>> how >>> to >>> check the integrity of the provided release files. >>> >>> However, I think, that we should discuss the approach in general, >>> ie. >>> which kind of binaries are deployed via the mirroring system and >>> which >>> binaries are provided via Maven repositories. This is also relevant >>> in >>> terms of [2] as INFRA has requested to delete non active versions >>> from >>> the mirroring system. >>> >>> The problem with the mirroring system might be, that the current >>> process seems to be of "manual" nature (?) while the "old" process >>> (via >>> Downloads.java) generated (and verified) the download links for >>> copy&paste them into the "download-ng.adoc". >>> >>> Wdyt? >>> >>> Gruss, >>> Richard >>> >>> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-2975 >>> [2] https://issues.apache.org/jira/browse/TOMEE-1096 >>> [3] https://github.com/apache/tomee-site-generator/pull/21 >>>
smime.p7s
Description: S/MIME cryptographic signature
