Hi Lewis, Il giorno ven 7 apr 2017 alle ore 18:19 lewis john mcgibbney < lewi...@apache.org> ha scritto:
> Hi Tomasso, > > On Thu, Apr 6, 2017 at 5:31 AM, < > dev-digest-h...@joshua.incubator.apache.org > > wrote: > > > > > From: Tommaso Teofili <tommaso.teof...@gmail.com> > > To: dev@joshua.incubator.apache.org > > Cc: > > Bcc: > > Date: Sat, 01 Apr 2017 17:06:06 +0000 > > Subject: Re: ping on RC4 vote > > I really have no idea, I just executed the Maven commands as per wiki > [1], > > then I found out that in my /target directory I had all the expected > > artifacts but no md5 / sha1 signatures for them, on the other hand it > seems > > they got generated at some point and existed in the staging repo on > Nexus. > > > > This seems strange, I just used a very similar release procedure on another > project (Gora) and we were able to provide all signatures with staging and > repository artifacts being the same. It should be noted however that the > release policy [0] does not explicitly mention which type of cryptographic > signature method be used, only that "...All supplied packages MUST be > cryptographically signed by the Release Manager with a detached signature." > > [0] http://apache.org/legal/release-policy.html#release-signing > > In my opinion, if one method of signature is provided (which it is) then > that satisfies the release policy. The mismatch does however raise > questions as to whether the staging and repository artifacts are the same. > I thought I would check it out, here are my results. > > I calculated an md5 checksum for the staging -src.tar.gz artifact and then > repository artifact as follows > > gpg --print-md MD5 joshua-incubating-6.1-src.tar.gz > > joshua-incubating-6.1-src.tar.gz.md5 > joshua-incubating-6.1-src.tar.gz: 9A 13 8A E8 F6 A3 12 8C 64 77 9B 29 18 > FD 86 > 48 > > gpg --print-md MD5 joshua-incubating-6.1-src.tar.gz > > joshua-incubating-6.1-src.tar.gz.md5 > joshua-incubating-6.1-src.tar.gz: 16 75 A7 A9 B0 D7 DF 56 61 06 52 FA C9 > 12 D2 > 6F > > I then undertook a manual diff of the directories > > diff -r apache-joshua-6.1-incubating ./maven/apache-joshua-6.1-incubating | > grep apache-joshua-6.1-incubating | awk '{print $4}' > difference1.txt > > difference1.txt contained the following entries > > build_binary > lmplz > query > sentclient > sentclient.dSYM > sentserver > sentserver.dSYM > > These files can be found at the following locations > > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "build_binary" > ./bin/build_binary > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "lmplz" > ./bin/lmplz > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "query" > ./bin/query > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "sentclient" > ./scripts/training/parallelize/sentclient > > ./scripts/training/parallelize/sentclient.dSYM/Contents/Resources/DWARF/sentclient > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "sentclient.dSYM" > ./scripts/training/parallelize/sentclient.dSYM > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "sentserver" > ./scripts/training/parallelize/sentserver > > ./scripts/training/parallelize/sentserver.dSYM/Contents/Resources/DWARF/sentserver > lmcgibbn@LMC-056430 <0564%2030> ~/Desktop/apache-joshua-6.1-incubating $ > find . -name > "sentserver.dSYM" > ./scripts/training/parallelize/sentserver.dSYM > > These are binary files and should not be included within the release > candidate. > > > > > Having realized that I manually created the md5 counterparts for source > > distribution packages and uploaded both artifacts and md5 signatures to > > /dist. > > > > I am not sure myself if this is a somewhat ok or expected behaviour (it's > > one of my first times as a release manager). > > > > I guess we could simply put the stuff from Nexus on /dist/dev instead, as > > that will anyway be the one that goes in /dist/release once we release > the > > staging repo, WDYT? > > > > > It is therefore my opinion that you replace the staging artifacts with the > artifacts present within repository... or DROP the release candidate and > push another one. > thanks a lot Lewis for your in depth analysis which makes things clearer now. I can find the mentioned (wrong) binary files in the source packages on dist/dev [1] while I can't find them within the ones on the staging repo [2]. So if I can copy the ones from the staging repo to dis/dev that should be ok, perhaps that's what I would have had to do in first place. What do you think ? Regards, Tommaso [1] : https://dist.apache.org/repos/dist/dev/incubator/joshua/6.1/ [2] : https://repository.apache.org/content/repositories/orgapachejoshua-1005/org/apache/joshua/joshua-incubating/6.1/ > Lewis >