For Java jars, the ASF has repository.apache.org - a Nexus instance that can be used to stage and later release jars. The login credentials are the same credentials you use to access other ASF resources.
On Mon, 13 May 2024 at 21:28, Enrico Olivelli <eolive...@gmail.com> wrote: > Tiago, > > > Il Lun 13 Mag 2024, 22:11 Tiago Bento <tiagobe...@apache.org> ha scritto: > > > Hello general@incubator, > > > > My name is Tiago Bento (@tiagobento on GitHub), and I’m one of the > > committers of the KIE project of the incubator. > > > > We’re gearing towards our first release under Apache, and we’re very > > excited to be approaching this important milestone. > > > > Some resources [1] [2] that we found already guided us in the right > > direction, but still, some questions remain about the release process > > itself. > > > > We understand that in Apache, releases are done from the source code > > perspective, not the binaries/artifacts’. However, we still don’t > > understand very clearly how Apache verifies signatures and checksums > > of the binaries that are eventually published. > > > > It is better that in case you provide binaries to your users those binaries > are released together with the sources during the same VOTE. > > Having reproducible builds would help a lot, but that's not always easy to > do. > > In your VOTE you should stage all the sources and binaries, signed with the > same signature (by the release manager) and the same artifacts will be > promoted in case of a successful VOTE. > > The PMC can at least verify the signatures and any digests that are staged > as part of the VOTE. > > Please note that if you don't have a reproducible build the PMC will never > be able to verify that the binaries match the sources. > > > > The KIE project has three main types of consumable artifacts: Maven > > modules, Container images, and NPM packages; and we also maintain some > > live web pages like https://sandbox.kie.org, and extensions for Chrome > > [3] and VS Code [4]. > > > > For the release to be voted, we understand we have to provide a .zip > > file containing the source code along with instructions on how to > > build it. Once/if approved, our understanding is that the exact same > > approved source code could be used to build and publish > > binaries/artifacts of any sort to public registries/repositories. > > > > I’m laying out all the information I could gather so someone can > > correct me if somehow I got the wrong idea of any part of the process. > > > > I guess the main question I have at the moment is: Are we able to pass > > the release vote only with the sources (without any published > > artifacts) so that once/if approved, we could publish definitive > > binaries/artifacts to public registries/repositories? > > > > You can do it. But you should state it very clearly in the downloads pages > and in any repository. > > Also it is better to leverage as much as possible the ASF infra to build > automatically such derived artifacts. > > Foe instance in Apache BookKeeper we build the docker images using a docker > bot that is handled by the ASF infra > > > > This question comes from the fact that we’re not sure how such a > > “staging” environment could be created for artifacts/binaries that are > > not Maven modules. We started a thread [5] on Slack several hours ago, > > but no luck getting > > I apologize if I’m lacking obvious information, and appreciate any > > resource or reply that would put us closer to a successful release. > > > > This is the right place for asking questions, not Slack. > > > > Regards, > > > > I hope that help > > Thanks for sharing your problem, this thread will be a good reference for > other projects > > Enrico > > > > > Tiago Bento > > > > > > > > [1] https://lists.apache.org/thread/ropp09n8m75rl6hlvnmpwcv85oyq5op9 > > [2] https://www.apache.org/info/verification.html > > [3] > > > https://chromewebstore.google.com/detail/bpmn-dmn-test-scenario-ed/mgkfehibfkdpjkfjbikpchpcfimepckf > > [4] > > > https://marketplace.visualstudio.com/items?itemName=kie-group.vscode-extension-kie-ba-bundle > > [5] https://the-asf.slack.com/archives/CBX4TSBQ8/p1715605377484379 > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > >
