Hi Attila, On 26.12.2024 18:29, Attila Szegedi wrote:
I want to stress that it being released in this state was entirely my fault – I was devoting an odd half hour of my time to this every now and then, and apparently managed to think I'm releasing something I already reasonably tested, but then… turns out I didn't. I should've known better than to release anything without one last re-run of all tests.
I guess the blame is to be shared. As it turns out, my patch fixed the bug reproducer, but broke all the other scripting tests we have in Log4j. Honestly I didn't run them before the 15.5 release.
Would it be possible to publish Nashorn RCs to a staging Nexus repository and announce its URL on the mailing list? If there is enough delay between the RC and the release, we could run our tests and report any problems before the release reaches Maven Central.
Apache releases, e.g., have a 72 hours voting period between the RC and the release. This period theoretically allows users to vote -1 if the release breaks their application. The vote is non-binding, but usually taken into consideration by the maintainers.
In practice, obviously, this almost never happens, since it is a manual process, but I could run the tests before each Nashorn release.
[In the future I hope that networks, such as the Transparency Exchange API[1], will allow to automatize the process]
Piotr [1] https://github.com/CycloneDX/transparency-exchange-api
