It's actually not difficult at all to set this up correctly. Here is what needs to be done:
1. Make sure that the project uses a recent version of the org.apache:apache super-POM (which contains the relevant default configurations for the standard Apache release process). 2. Ask infra to add org.apache.rampart to the Axis2 staging profile (see INFRA-3271 for corresponding the request for Sandesha2). 3. Eliminate stuff from the Rampart POMs that conflicts with the configurations in org.apache:apache. 4. [For the RM and other people who want to test the release process] Set up the credentials in settings.xml as described in [1]. 5. Test the release process, check the produced artifacts and do whatever fixes are necessary. It should only take a couple of hours to do the necessary changes. The only uncertainty is item 2, because this requires somebody from the infra team to pick up and execute the task. Andreas [1] http://axis.apache.org/axis2/java/core/release-process.html#Pre-requisites On Sat, Dec 25, 2010 at 10:18, Senaka Fernando <[email protected]> wrote: > Hi all, > > Andreas is correct. I discussed the issue on legal@, and the conclusions > were to stage a Maven Repository. Also, we might need to work with infra@ to > get the permissions etc sorted out, and we will have to use the Maven > release plugin to sign the Maven artifacts. > > Now, Rampart and Sandesha2, should be having a nearly similar structure, and > we should be able to follow the same approach here. > > Thanks, > Senaka. > > On Sat, Dec 25, 2010 at 2:14 AM, Andreas Veithen <[email protected]> > wrote: >> >> On Fri, Dec 24, 2010 at 16:07, Senaka Fernando <[email protected]> wrote: >> > Hi Andreas, >> > >> > On Fri, Dec 24, 2010 at 2:04 PM, Andreas Veithen >> > <[email protected]> >> > wrote: >> >> >> >> On Fri, Dec 24, 2010 at 07:33, Senaka Fernando <[email protected]> >> >> wrote: >> >> > Hi Andreas, >> >> > >> >> > Many thanks for reminding. >> >> > >> >> > On Fri, Dec 24, 2010 at 4:54 AM, Andreas Veithen >> >> > <[email protected]> >> >> > wrote: >> >> >> >> >> >> Unfortunately, the release candidate doesn't yet meet the (new) ASF >> >> >> requirements for a valid release :-(. See [1]: >> >> >> >> >> >> "Every artifact distributed by the Apache Software Foundation should >> >> >> and every new one must be accompanied by one file containing an >> >> >> OpenPGP compatible ASCII armored detached signature and another file >> >> >> containing an MD5 checksum." >> >> >> >> >> >> Although the document doesn't mention Maven artifacts explicitly, >> >> >> the >> >> >> common interpretation [2] of this requirement is that every >> >> >> individual >> >> >> Maven artifact must be signed. >> >> > >> >> > I will get this clarified, to how this should be done. Signing Maven >> >> > artifacts should not be done manually, it should be done >> >> > automatically >> >> > through Maven itself. And, I don't see many apache projects doing the >> >> > same >> >> > as of now. >> >> >> >> >> >> Also, I think that the key used to sign the distributions doesn't >> >> >> meet >> >> >> the new requirements in terms of key type and length. >> >> > >> >> > Yes, that's a concern, the required key-lengths were revised, and >> >> > mentioned >> >> > at the very top of [1]. There were some instructions to how you could >> >> > upgrade, if you already have a weak key. >> >> >> >> >> >> These requirements are part of the reasons why I migrated Axiom, >> >> >> Axis2 >> >> >> and Sandesha2 to the (new) standard ASF release process based on >> >> >> maven-release-plugin and Nexus. It automates most of the stuff and >> >> >> Nexus does some validation of the artifacts already when staging >> >> >> them. >> >> >> I think we should migrate Rampart as well, at least for the next >> >> >> release. >> >> > >> >> > So, have you got the Maven Release plugin to sign artifacts as >> >> > mentioned, >> >> > plus upload them to ASF's Maven repositories in a single go? >> >> >> >> Yes. Here are the documents that explain how this is executed for >> >> Axiom and Axis2: >> >> >> >> http://ws.apache.org/axiom/devguide/ch02.html#d0e326 >> >> http://axis.apache.org/axis2/java/core/release-process.html >> >> >> >> Sandesha2 pretty much sticks to the standard procedure: >> >> >> >> http://www.apache.org/dev/publishing-maven-artifacts.html >> >> >> >> As mentioned earlier, before this could be applied to Rampart, you >> >> would have to request inclusion of org.apache.rampart in the staging >> >> profile for Axis2. >> > >> > Thanks for the information. For the benefit of someone who's reading >> > this >> > mail thread, the documents that Andreas linked also explains how you >> > could >> > publish the artifacts on the staging repo etc. >> > >> > Having said that, I am yet to figure out the legitimacy (hard to find >> > the >> > people during the holiday season, :-).. ) of a release without having >> > the >> > Maven artifacts signed, for projects that are not under the Maven PMC (I >> > found out that they do need something as such). >> > >> > But, as you have mentioned in your first reply to this thread, I'm +1 >> > for >> > introducing the same concepts for Rampart. My concern is that, if these >> > requirements are not mandatory, we could go ahead with this release, >> > instead >> > of delaying it (some other releases, Synapse is also waiting for this >> > AFAIK), and fix these inconsistencies for the next release. >> >> I think these requirements are mandatory for all projects. What is >> sure is that if the Maven artifacts are not signed, you will get a >> friendly reminder about that: >> >> http://markmail.org/search/?q=%22your+MAVEN+repo+artifacts%22 >> >> We can't simply ignore this. >> >> > However, in general, everything under [1] are mandatory, and enforced by >> > the >> > ASF. >> > >> > [1] http://www.apache.org/dev/release-signing.html >> > >> > Thanks, >> > Senaka. >> >> >> >> > [1] http://www.apache.org/dev/release-signing.html >> >> > >> >> > Thanks, >> >> > Senaka. >> >> >> >> >> >> Andreas >> >> >> >> >> >> [1] http://www.apache.org/dev/release-signing.html >> >> >> [2] http://people.apache.org/~henkp/repo/faq.html >> >> >> >> >> >> On Thu, Dec 23, 2010 at 05:37, Selvaratnam Uthaiyashankar >> >> >> <[email protected]> wrote: >> >> >> > Devs, >> >> >> > >> >> >> > This is the vote for Apache Rampart 1.5.1 release. >> >> >> > >> >> >> > Please review the signed artifacts: >> >> >> > >> >> >> > http://people.apache.org/~shankar/rampart/1.5.1/dist/ >> >> >> > >> >> >> > The m2 repository is available at: >> >> >> > http://people.apache.org/~shankar/rampart/1.5.1/m2_repo/ >> >> >> > >> >> >> > The site is temporarily hosted at: >> >> >> > http://people.apache.org/~shankar/rampart/1.5.1/site/ >> >> >> > >> >> >> > SVN Info: >> >> >> > >> >> >> > https://svn.apache.org/repos/asf/axis/axis2/java/rampart/tags/v1.5.1 >> >> >> > >> >> >> > It was tested against Axis2 release candidates hosted in: >> >> >> > http://people.apache.org/~veithen/1.5.4/ >> >> >> > >> >> >> > Here's my +1 (binding) to declare the above dist as Apache Rampart >> >> >> > 1.5.1 >> >> >> > >> >> >> > thanks, >> >> >> > Shankar >> >> >> > >> >> >> > >> >> >> > --------------------------------------------------------------------- >> >> >> > To unsubscribe, e-mail: [email protected] >> >> >> > For additional commands, e-mail: [email protected] >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> >> To unsubscribe, e-mail: [email protected] >> >> >> For additional commands, e-mail: [email protected] >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > Senaka Fernando >> >> > Member; Apache Software Foundation; http://apache.org >> >> > >> >> > Associate Technical Lead & Product Manager - WSO2 G-Reg; >> >> > WSO2, Inc.; http://wso2.com >> >> > >> >> > E-mail: senaka AT apache.org >> >> > P: +94 11 223 2481; M: +94 77 322 1818 >> >> > Linked-In: http://www.linkedin.com/in/senakafernando >> >> > Blog: http://senakafdo.blogspot.com >> >> > >> >> > >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [email protected] >> >> For additional commands, e-mail: [email protected] >> >> >> >> -- >> >> Senaka Fernando >> >> Member; Apache Software Foundation; http://apache.org >> >> >> >> Associate Technical Lead & Product Manager - WSO2 G-Reg; >> >> WSO2, Inc.; http://wso2.com >> >> >> >> E-mail: senaka AT apache.org >> >> P: +94 11 223 2481; M: +94 77 322 1818 >> >> Linked-In: http://www.linkedin.com/in/senakafernando >> >> Blog: http://senakafdo.blogspot.com >> >> >> >> >> >> >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > > -- > Senaka Fernando > Member; Apache Software Foundation; http://apache.org > > Associate Technical Lead & Product Manager - WSO2 G-Reg; > WSO2, Inc.; http://wso2.com > > E-mail: senaka AT apache.org > P: +94 11 223 2481; M: +94 77 322 1818 > Linked-In: http://www.linkedin.com/in/senakafernando > Blog: http://senakafdo.blogspot.com > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
