Hi Tilmann, I would follow the Nexus rules and include the .md5 and .sha1 in order to stage the release.
We can always remove these obsolete checksum files when we publish the release on dist/db/jdo. After the build/vote process is done. Separately, the bui...@apache.org might be the place to ask whether we have configured the pom correctly. Or the d...@maven.apache.org mail list. If you're not subscribed to the lists you can see any replies by going to lists.apache.org and looking at the recent posts (after you post). I would ask on these lists but it doesn't seem to make sense for me to be the middleman here... Best, Craig > On Nov 14, 2021, at 11:09 AM, Tilmann <tilmann_...@gmx.de> wrote: > > Dear all, > > I just tried to stage JDO 3.2 RC3. As discussed (and suggested here), I > removed the .md5 and .sha1 files from the source-release.zip/.tar.gz. > > This result in an error because the Nexus's Apache Rules require these files: > > <Iischsi0FEdP4bUR.png> > > I am not sure where these rules are defined, whether I could or even should > change them. > > Proposal: > > Contrary to what we discussed and what is specified here > <https://infra.apache.org/release-distribution> and here > <https://infra.apache.org/publishing-maven-artifacts.html>, I would follow > the Nexus's Apache Rules and include the .md5 and .sha1 files for the > .zip/.tar.gz files. > In other words, I would follow the coded Apache Rules instead of the written > ones. > > Any comments, suggestions, opinions.... ? > We can also discuss this on Thursday. > > Cheers, > Til > > > > P.S.: The artifact's content: > <jWEAIysOuhZI76Pj.png> > > > > > > On 08/11/2021 23:20, Tilmann Zäschke wrote: >> Dear all, >> >> I just staged JDO 3.2 RC2. Please have a look and report any problems: >> https://repository.apache.org/content/repositories/orgapachejdo-1002 >> <https://repository.apache.org/content/repositories/orgapachejdo-1002> >> >> Changes: >> - archives are now available as .zip and as .tar.gz >> - the "source-release" archives are now signed with SHA512 >> - The pom now has the "timestamp" property >> - Some updates on the release instructions >> >> Note: >> - The API is still signed with sha1 only. I believe this is in line with >> the >> requirement of Nexus which does not seem to support SHA256 or SHA512. >> - The parent .pom has its <scm> section removed. It gets removed by the >> release plugin, not sure whether this is a feature or how it can be >> avoided. >> I will add the section again after the release. >> >> Kind regards, >> Tilmann Craig L Russell c...@apache.org
