Hi Andreas, On Fri, Dec 24, 2010 at 2:04 PM, Andreas Veithen <[email protected]>wrote:
> On Fri, Dec 24, 2010 at 07:33, Senaka Fernando <[email protected]> wrote: > > Hi Andreas, > > > > Many thanks for reminding. > > > > On Fri, Dec 24, 2010 at 4:54 AM, Andreas Veithen < > [email protected]> > > wrote: > >> > >> Unfortunately, the release candidate doesn't yet meet the (new) ASF > >> requirements for a valid release :-(. See [1]: > >> > >> "Every artifact distributed by the Apache Software Foundation should > >> and every new one must be accompanied by one file containing an > >> OpenPGP compatible ASCII armored detached signature and another file > >> containing an MD5 checksum." > >> > >> Although the document doesn't mention Maven artifacts explicitly, the > >> common interpretation [2] of this requirement is that every individual > >> Maven artifact must be signed. > > > > I will get this clarified, to how this should be done. Signing Maven > > artifacts should not be done manually, it should be done automatically > > through Maven itself. And, I don't see many apache projects doing the > same > > as of now. > >> > >> Also, I think that the key used to sign the distributions doesn't meet > >> the new requirements in terms of key type and length. > > > > Yes, that's a concern, the required key-lengths were revised, and > mentioned > > at the very top of [1]. There were some instructions to how you could > > upgrade, if you already have a weak key. > >> > >> These requirements are part of the reasons why I migrated Axiom, Axis2 > >> and Sandesha2 to the (new) standard ASF release process based on > >> maven-release-plugin and Nexus. It automates most of the stuff and > >> Nexus does some validation of the artifacts already when staging them. > >> I think we should migrate Rampart as well, at least for the next > >> release. > > > > So, have you got the Maven Release plugin to sign artifacts as mentioned, > > plus upload them to ASF's Maven repositories in a single go? > > Yes. Here are the documents that explain how this is executed for > Axiom and Axis2: > > http://ws.apache.org/axiom/devguide/ch02.html#d0e326 > http://axis.apache.org/axis2/java/core/release-process.html > > Sandesha2 pretty much sticks to the standard procedure: > > http://www.apache.org/dev/publishing-maven-artifacts.html > > As mentioned earlier, before this could be applied to Rampart, you > would have to request inclusion of org.apache.rampart in the staging > profile for Axis2. > Thanks for the information. For the benefit of someone who's reading this mail thread, the documents that Andreas linked also explains how you could publish the artifacts on the staging repo etc. Having said that, I am yet to figure out the legitimacy (hard to find the people during the holiday season, :-).. ) of a release without having the Maven artifacts signed, for projects that are not under the Maven PMC (I found out that they do need something as such). But, as you have mentioned in your first reply to this thread, I'm +1 for introducing the same concepts for Rampart. My concern is that, if these requirements are not mandatory, we could go ahead with this release, instead of delaying it (some other releases, Synapse is also waiting for this AFAIK), and fix these inconsistencies for the next release. However, in general, everything under [1] are mandatory, and enforced by the ASF. [1] http://www.apache.org/dev/release-signing.html Thanks, Senaka. > > > [1] http://www.apache.org/dev/release-signing.html > > > > Thanks, > > Senaka. > >> > >> Andreas > >> > >> [1] http://www.apache.org/dev/release-signing.html > >> [2] > >> http://people.apache.org/~henkp/repo/faq.html<http://people.apache.org/%7Ehenkp/repo/faq.html> > >> > >> On Thu, Dec 23, 2010 at 05:37, Selvaratnam Uthaiyashankar > >> <[email protected]> wrote: > >> > Devs, > >> > > >> > This is the vote for Apache Rampart 1.5.1 release. > >> > > >> > Please review the signed artifacts: > >> > > >> > http://people.apache.org/~shankar/rampart/1.5.1/dist/<http://people.apache.org/%7Eshankar/rampart/1.5.1/dist/> > >> > > >> > The m2 repository is available at: > >> > http://people.apache.org/~shankar/rampart/1.5.1/m2_repo/<http://people.apache.org/%7Eshankar/rampart/1.5.1/m2_repo/> > >> > > >> > The site is temporarily hosted at: > >> > http://people.apache.org/~shankar/rampart/1.5.1/site/<http://people.apache.org/%7Eshankar/rampart/1.5.1/site/> > >> > > >> > SVN Info: > >> > https://svn.apache.org/repos/asf/axis/axis2/java/rampart/tags/v1.5.1 > >> > > >> > It was tested against Axis2 release candidates hosted in: > >> > http://people.apache.org/~veithen/1.5.4/<http://people.apache.org/%7Eveithen/1.5.4/> > >> > > >> > Here's my +1 (binding) to declare the above dist as Apache Rampart > 1.5.1 > >> > > >> > thanks, > >> > Shankar > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [email protected] > >> > For additional commands, e-mail: [email protected] > >> > > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > > > > > > > > -- > > Senaka Fernando > > Member; Apache Software Foundation; http://apache.org > > > > Associate Technical Lead & Product Manager - WSO2 G-Reg; > > WSO2, Inc.; http://wso2.com > > > > E-mail: senaka AT apache.org > > P: +94 11 223 2481; M: +94 77 322 1818 > > Linked-In: http://www.linkedin.com/in/senakafernando > > Blog: http://senakafdo.blogspot.com > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- > *Senaka Fernando* > Member; Apache Software Foundation; <[email protected]> > http://apache.org > * > Associate Technical Lead & Product Manager - WSO2 G-Reg; > WSO2, Inc.; http://wso2.com** <http://apache.org/> > > E-mail: senaka AT apache.org > **P: +94 11 223 2481*; *M: +94 77 322 1818 > Linked-In: http://www.linkedin.com/in/senakafernando > Blog: http://senakafdo.blogspot.com > * > > >
