Hi Andreas, Many thanks for reminding.
On Fri, Dec 24, 2010 at 4:54 AM, Andreas Veithen <[email protected]>wrote: > Unfortunately, the release candidate doesn't yet meet the (new) ASF > requirements for a valid release :-(. See [1]: > > "Every artifact distributed by the Apache Software Foundation should > and every new one must be accompanied by one file containing an > OpenPGP compatible ASCII armored detached signature and another file > containing an MD5 checksum." > > Although the document doesn't mention Maven artifacts explicitly, the > common interpretation [2] of this requirement is that every individual > Maven artifact must be signed. > I will get this clarified, to how this should be done. Signing Maven artifacts should not be done manually, it should be done automatically through Maven itself. And, I don't see many apache projects doing the same as of now. > > Also, I think that the key used to sign the distributions doesn't meet > the new requirements in terms of key type and length. > Yes, that's a concern, the required key-lengths were revised, and mentioned at the very top of [1]. There were some instructions to how you could upgrade, if you already have a weak key. > > These requirements are part of the reasons why I migrated Axiom, Axis2 > and Sandesha2 to the (new) standard ASF release process based on > maven-release-plugin and Nexus. It automates most of the stuff and > Nexus does some validation of the artifacts already when staging them. > I think we should migrate Rampart as well, at least for the next > release. > So, have you got the Maven Release plugin to sign artifacts as mentioned, plus upload them to ASF's Maven repositories in a single go? [1] http://www.apache.org/dev/release-signing.html Thanks, Senaka. > > Andreas > > [1] http://www.apache.org/dev/release-signing.html > [2] > http://people.apache.org/~henkp/repo/faq.html<http://people.apache.org/%7Ehenkp/repo/faq.html> > > On Thu, Dec 23, 2010 at 05:37, Selvaratnam Uthaiyashankar > <[email protected]> wrote: > > Devs, > > > > This is the vote for Apache Rampart 1.5.1 release. > > > > Please review the signed artifacts: > > > > http://people.apache.org/~shankar/rampart/1.5.1/dist/<http://people.apache.org/%7Eshankar/rampart/1.5.1/dist/> > > > > The m2 repository is available at: > > http://people.apache.org/~shankar/rampart/1.5.1/m2_repo/<http://people.apache.org/%7Eshankar/rampart/1.5.1/m2_repo/> > > > > The site is temporarily hosted at: > > http://people.apache.org/~shankar/rampart/1.5.1/site/<http://people.apache.org/%7Eshankar/rampart/1.5.1/site/> > > > > SVN Info: > > https://svn.apache.org/repos/asf/axis/axis2/java/rampart/tags/v1.5.1 > > > > It was tested against Axis2 release candidates hosted in: > > http://people.apache.org/~veithen/1.5.4/<http://people.apache.org/%7Eveithen/1.5.4/> > > > > Here's my +1 (binding) to declare the above dist as Apache Rampart 1.5.1 > > > > thanks, > > Shankar > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- *Senaka Fernando* Member; Apache Software Foundation; http://apache.org * Associate Technical Lead & Product Manager - WSO2 G-Reg; WSO2, Inc.; http://wso2.com** <http://apache.org/> E-mail: senaka AT apache.org **P: +94 11 223 2481*; *M: +94 77 322 1818 Linked-In: http://www.linkedin.com/in/senakafernando Blog: http://senakafdo.blogspot.com *
