Replying on the dev list; I pinged you privately 'cause I was just hoping to catch you before I went to bed :)
Your steps below explain very well what you saw and where you're coming from. I will address these issues today and post another candidate for a sanity check. Comments inline: > I really want you to get this right, and willing to assist as much as > I can. I know that the first round is really, really painful, but it > will get smoother if you manage to automate most stuff. > > Ok, here is what I did this morning; > > 1. I downloaded > http://people.apache.org/~tvolkert/pivot/apache-pivot-1.1-incubating.tar.gz > > 2. I downloaded > http://people.apache.org/~tvolkert/pivot/apache-pivot-1.1-incubating.zip > because I was curious why the size was so different, and assumed that > they were different (have not checked that yet). Yeah, this confused me as well. I set the compression level to 9 in the zip to try to get the size down, but it's still significantly larger than the tar.gz, which baffles me. Is ZIP really that much less efficient? > 3. I opened build.xml and saw the following; > <?xml version="1.0" encoding="UTF-8"?> > <project default="build"> > <target name="build"> > <mkdir dir="bin"/> > <javac srcdir="src" destDir="bin" debug="true"/> > </target> > </project> > And I went "Oh oh", since I know the build.xml in SVN is a mile long. Yeah, this relates to the discussion we had on list a few days back about whether the built binaries need to be packaged in jars the same way as our release archive or whether .class files are sufficient. I'll re-organize this today so that the release archive build.xml is the same as the SVN one, eliminating this issue. > 4. I looked in lib/ and I saw; > pivot-charts-incubating.jar pivot-tools-incubating.jar > pivot-web-incubating.server.jar pivot-wtk-incubating.terra.jar > pivot-core-incubating.jar pivot-web-incubating.jar > pivot-wtk-incubating.jar > > 5. I removed the everything in the lib folder, since that is obvious > binary outputs. I may be slow sometimes, but I finally understand that the goal is for the user to be able to produce an *exact match* with our binary distribution by building from source. :) > 6. I ran Ant. I got build problems and looked in the BUILD. It > explained why, and since I didn't have the system requirements > available, I stopped on that track. So you made reference yesterday to the fact that you prefer to include library dependencies in your distributions. I would love to as well, but I was under the impression that we couldn't legally include such JAR files. I'll look again on apache.org for guidelines, but I take it that this is an option for us? > 7. I went to pgp.mit.edu and looked up "Todd Volkert" and low and > below there was an entry. "Excellent I thought.", but the email wasn't > one I was used to, and it dated back to 2000, so I assumed that was > not the key that you have used to sign with. The re-iteration in the > list, is just to emphasize the importance and not criticism that > something is not right. No worries - I was not offended, just confused. :) I did upload my public key using 'gpg --send-key DB0924F6' on Friday (March 27). http://apache.org/dev/release-signing.html#keyserver states that "The major public key servers synchronize their records regularly so a key uploaded to one should be disseminated to the rest.", so I assumed that my work was done with respect to uploading my public key. How do I make sure that the MIT key server gets it? With respect to the key you found, that's from a previous life :) The one at http://people.apache.org/~tvolkert/pivot/KEYS is the one that I created for the purpose of release signing and the one I want to get propagated to the public key servers. Also, with respect to the web of trust, I won't get a chance to attend ApacheCon until November (ApacheCon US) -- can we release if my key is not in the web of trust? > We will get this right... It just will take a while. Thanks for your help and patience.
