Checked out release tag at 783722121d55530813f21e5e6bc14e9955777e5c: ok Compared tag against source ZIP: ok Signatures on distribution spot: match KEYS file - no trust established yet SHA256 hashes on distribution spot: ok Signatures on staging repository: match KEYS file - no trust established yet SHA1/MD5 hashes on staging spot: ok Built from sources using Java 21: ok
How about switching to SHA512 for hashes? IMHO strong SHA hashes should also be included in the staging repository, for the Maven artifacts, not only in the dist spot. This warning appears various times during the build apparently when the tests boot up - any idea where it comes from? WARNING: Using incubator modules: jdk.incubator.vector +0.5 for a release ;) -- Richard P.S.: I'd give a +1 but first we should establish key trust. > On 19. Sep 2024, at 23:42, Andrea Del Bene <an.delb...@gmail.com> wrote: > > [ ] Yes, release Apache Wicket 10.2.0 > [ ] No, don't release Apache Wicket 10.2.0, because ... > > Distributions, changelog, keys and signatures can be found at: > > https://dist.apache.org/repos/dist/dev/wicket/10.2.0 > > Staging repository: > > https://repository.apache.org/content/repositories/orgapachewicket-1207/ > > Staging git repository data: > > Repository: g...@github.com:bitstorm/wicket.git > Branch: build/wicket-10.2.0 > Release tag: rel/wicket-10.2.0
