Hmm, didn't seem to work. Will try to track down someone w/ Maven
knowledge at AC. Random dumb idea: just check in the sigs into lib
directory and deploy them. Then, we just need to update the sigs
whenever we update the JAR. Sean, I'm at training all day, could you
do that? Anyone see an issue doing this? These signatures are just
for those artifacts in the lib directory. Then, in the core/pom.xml
where we do the deploy stuff, we would roll back the sign-and-deploy
stuff and add executions that also deploy the asc files.
-Grant
On Nov 3, 2009, at 6:45 AM, Grant Ingersoll wrote:
I am trying: http://maven.apache.org/plugins/maven-gpg-plugin/sign-and-deploy-file-mojo.html
right now. Assuming that goes through, we can call a vote.
I agree, in general, we need to be able to get releases out faster
and more reliable. People also should, especially when it is near
release time, be encouraged to try trunk, as we aren't going to be
making drastic changes at that point and it is much better to get
the testing out of the way up front.
-Grant
On Nov 3, 2009, at 6:02 AM, Sean Owen wrote:
Yeah OK, then sign by hand? Sigs are important indeed.
I'm just weighing this against, again, 2 more emails today about
problems that I fixed ages ago, that people aren't getting since
they're downloading 0.1. You guys are also in a great position to
promote 0.2 in person. I think it'd be great to get them out ASAP.
Is there anything at all I can do?
On Tue, Nov 3, 2009 at 1:58 PM, Grant Ingersoll
<gsing...@apache.org> wrote:
On Nov 3, 2009, at 5:47 AM, Sean Owen wrote:
What were you referring to in your last email then about legal
bits? I
am genuinely curious to understand things like that since they are
important.
Oh, sorry. Was confused by your confusion!
The relevant line in the prior email was:
"Any and all artifacts that we put up under our stuff are our
artifacts and
people need to be able to verify that what we put up is what we
intended to
put up."
So, those are the legal bits. People need to be able to trust
what we put
up their. Sigs and MD5 hashes, etc. help establish that trust.
You can read more about ASF reqs on releases at:
http://www.apache.org/dev/#releases
