Comments inline: > Apache is about Open Source. There is a huge emphasis on the "Source" > part, to the degree that there are times when some projects don't even > release binaries at all, only the sources.
I apologize if I got this very wrong. I looked at several Apache TLP projects and used them as guidance. Specifically, this sample release artifact is based on Wicket, which, unpacked, looks almost identical in its structure (see http://mirror.cinquix.com/pub/apache/wicket/1.3.5/apache-wicket-1.3.5.tar.gz). The theory was that our release artifact contains both the binaries (in the lib folder in the archive) and the source (the src folder in the archive). > So the "Released Artifact" are the sources and the build system (incl > instructions) required to produce a useful binary. The binary output > is NOT included in the primary release artifact, but is "generated" by > it. So; SVN --(packaging)--> Source Release --(build+package)--> > Binary Release Is that not the case in the sample I sent out? The user can browse the source in the src dir and run "ant" at the root folder to produce a useful binary. > So, on these grounds, I am not going to recommend the PMC to approve > the release. I hadn't put it to a vote yet (even on this list, let alone incubator general), as I was looking for feedback before I did so. As such, I wouldn't expect that you'd recommend to release this yet :) > Here is what is needed; > > 1. Create a target in the Ant build, that zips/tars up the SVN > sources, not including the .svn directories. Sources in this instance > means everything that is needed to build Pivot, except for "System > Requirements" (listed in the README/BUILD). Ant and JDK is typical > System Requirements, as are any external jar files that are only > required for the build, BUT some people (like myself) prefer to have > them part of the source dist. The dist target does this - that's what lies in the src folder of the release archive. We also figured there were legal issues with packaging up library dependencies. Is this not the case? > 2. That zip/tar IS your primary release artifact; > apache-pivot-1.1-incubating.tar.gz Yes, what I sent out *is* just that. No offense (seriously), but I honestly am wondering whether you looked at the same thing that I created. Are we both talking about the files in http://people.apache.org/~tvolkert/pivot/ ?? > 3. Using that zip/tar, execute another Ant target (for instance > 'install') which compiles, jars and sticks everything into a > 'generated/apache-pivot-1.1-incubating' directory. The tarball *contains* the apache-pivot-1.1-incubating folder, a-la Wicket. > 4. The same target could also create a zip/tar of the > 'generated/apache-pivot-1.1-incubating', and that IS your > supplementary binary release. The binary release is contained in the folder, as a sibling of the src folder. > 5. Ask a couple of community members to sanity check the binary > release, and make sure it is useful. That was the email I sent out to which you are replying. > 6. Let people worry about Maven distro separately. And perhaps later > migrate to Maven build system, if you find Maven support important and > want to simplify such process. Yes, we decided that today on the thread entitled "Version numbering solution?" > 7. Finally, the release artifacts needs checksums and signatures. The > PGP signature should be uploaded to at least one or two public PGP > servers, such as pgp.mit.edu, and eventually be cross-signed in person > with other people in Apache (for instance at an ApacheCon event). That > creates the Apache Web of Trust. This may seem like a lot of work for > nothing, but there are some people who takes this aspect of Apache > very, very seriously. See > http://www.apache.org/dev/release-signing.html for more details. This is one reason that I think you may have looked at the wrong thing. Our KEYS file is checked in, is provided at http://people.apache.org/~tvolkert/pivot/, along with the PGP ascii armored detached signature (.asc) files, along with the MD5 and SHA digest files. I am actually one of those people that take this aspect very, very seriously :) > Apache level FAQ on releases are here; http://www.apache.org/dev/release.html > Note that additional requirements are imposed by the Incubator, and is > found embedded in > http://incubator.apache.org/guides/releasemanagement.html. Yes, I read these pages at least three times each to make sure I was in compliance to the best of my effort, which is why I'm left extremely confused at your email to which I'm currently replying... -T
