On Fri, Dec 24, 2010 at 07:33, Senaka Fernando <[email protected]> wrote: > Hi Andreas, > > Many thanks for reminding. > > On Fri, Dec 24, 2010 at 4:54 AM, Andreas Veithen <[email protected]> > wrote: >> >> Unfortunately, the release candidate doesn't yet meet the (new) ASF >> requirements for a valid release :-(. See [1]: >> >> "Every artifact distributed by the Apache Software Foundation should >> and every new one must be accompanied by one file containing an >> OpenPGP compatible ASCII armored detached signature and another file >> containing an MD5 checksum." >> >> Although the document doesn't mention Maven artifacts explicitly, the >> common interpretation [2] of this requirement is that every individual >> Maven artifact must be signed. > > I will get this clarified, to how this should be done. Signing Maven > artifacts should not be done manually, it should be done automatically > through Maven itself. And, I don't see many apache projects doing the same > as of now. >> >> Also, I think that the key used to sign the distributions doesn't meet >> the new requirements in terms of key type and length. > > Yes, that's a concern, the required key-lengths were revised, and mentioned > at the very top of [1]. There were some instructions to how you could > upgrade, if you already have a weak key. >> >> These requirements are part of the reasons why I migrated Axiom, Axis2 >> and Sandesha2 to the (new) standard ASF release process based on >> maven-release-plugin and Nexus. It automates most of the stuff and >> Nexus does some validation of the artifacts already when staging them. >> I think we should migrate Rampart as well, at least for the next >> release. > > So, have you got the Maven Release plugin to sign artifacts as mentioned, > plus upload them to ASF's Maven repositories in a single go?
Yes. Here are the documents that explain how this is executed for Axiom and Axis2: http://ws.apache.org/axiom/devguide/ch02.html#d0e326 http://axis.apache.org/axis2/java/core/release-process.html Sandesha2 pretty much sticks to the standard procedure: http://www.apache.org/dev/publishing-maven-artifacts.html As mentioned earlier, before this could be applied to Rampart, you would have to request inclusion of org.apache.rampart in the staging profile for Axis2. > [1] http://www.apache.org/dev/release-signing.html > > Thanks, > Senaka. >> >> Andreas >> >> [1] http://www.apache.org/dev/release-signing.html >> [2] http://people.apache.org/~henkp/repo/faq.html >> >> On Thu, Dec 23, 2010 at 05:37, Selvaratnam Uthaiyashankar >> <[email protected]> wrote: >> > Devs, >> > >> > This is the vote for Apache Rampart 1.5.1 release. >> > >> > Please review the signed artifacts: >> > >> > http://people.apache.org/~shankar/rampart/1.5.1/dist/ >> > >> > The m2 repository is available at: >> > http://people.apache.org/~shankar/rampart/1.5.1/m2_repo/ >> > >> > The site is temporarily hosted at: >> > http://people.apache.org/~shankar/rampart/1.5.1/site/ >> > >> > SVN Info: >> > https://svn.apache.org/repos/asf/axis/axis2/java/rampart/tags/v1.5.1 >> > >> > It was tested against Axis2 release candidates hosted in: >> > http://people.apache.org/~veithen/1.5.4/ >> > >> > Here's my +1 (binding) to declare the above dist as Apache Rampart 1.5.1 >> > >> > thanks, >> > Shankar >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > > -- > Senaka Fernando > Member; Apache Software Foundation; http://apache.org > > Associate Technical Lead & Product Manager - WSO2 G-Reg; > WSO2, Inc.; http://wso2.com > > E-mail: senaka AT apache.org > P: +94 11 223 2481; M: +94 77 322 1818 > Linked-In: http://www.linkedin.com/in/senakafernando > Blog: http://senakafdo.blogspot.com > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
