Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-13 Thread Juven Xu
What I saw is some of those staged artifacts were missing signatures. Nexus works correctly, it only complained the missing ones, not all. On Wed, Jan 13, 2010 at 2:32 PM, Stephen Connolly < stephen.alan.conno...@gmail.com> wrote: > 2010/1/13 Brian Fox : > > We should definitely fix this, both in

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
2010/1/13 Brian Fox : > We should definitely fix this, both in the GPG and in Nexus. Currently > it expects all files to be signed and this is the first one we've come > across that wasn't signed. I'll disable the rule now until it's sorted > out and close the repo for you. > > Stephen, what ended

Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)

2010-01-12 Thread Brett Porter
On 13/01/2010, at 1:23 PM, Jason van Zyl wrote: > > On 2010-01-12, at 5:52 PM, Brett Porter wrote: > >> >> On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: >> >>> Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and ca

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Brian Fox
We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of

Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)

2010-01-12 Thread Jason van Zyl
On 2010-01-12, at 5:52 PM, Brett Porter wrote: > > On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: > >> Jason van Zyl wrote: >>> The site stuff needs to be completely decoupled from releases. It such a >>> horrible coupling and causes nothing but problems. Release and the >>> documentation

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Wendy Smoak
On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly wrote: > For some reason the site descriptor does not get a signature generated > by the gpg plugin. > > As r.a.o now requires all artifacts to be signed, it would appear to > be impossible to close a staged repository. If it's going in the repo,

Re: site descriptor and the lifecycle (was: repository.apache.org, gpg signatures and site:attach-descriptor)

2010-01-12 Thread Brett Porter
On 13/01/2010, at 7:53 AM, Dennis Lundberg wrote: > Jason van Zyl wrote: >> The site stuff needs to be completely decoupled from releases. It such a >> horrible coupling and causes nothing but problems. Release and the >> documentation that goes along with it are completely separate. > > That

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Brett Porter
On 13/01/2010, at 4:59 AM, Daniel Kulp wrote: > > Why is the site descriptor being generated for surefire? Because it has an inherited site descriptor to share across the subprojects: http://svn.apache.org/viewvc/maven/surefire/tags/surefire-2.5/src/site/site.xml?view=log For Stephen to work

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Dennis Lundberg
Jason van Zyl wrote: > The site stuff needs to be completely decoupled from releases. It such a > horrible coupling and causes nothing but problems. Release and the > documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inh

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Jason van Zyl
Look at the POM lifecycle. The site stuff is wedged in there. I removed this in 3.x. http://svn.apache.org/repos/asf/maven/maven-2/tags/maven-2.2.0/maven-core/src/main/resources/META-INF/plexus/components.xml On 2010-01-12, at 12:59 PM, Daniel Kulp wrote: > > Why is the site descriptor being g

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
Then project site generation will be borked (even more than usual) I've no issues using 3.0-SNAPSHOT 2010/1/12 Jason van Zyl : > You can use 3.x, I removed the site stuff from the lifecycle :-) > > On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: > >> Fair enough, but we cannot make releases a

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Daniel Kulp
Why is the site descriptor being generated for surefire? The shade release two weeks ago didn't generate a site file: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/1.3/ and neither did the patch plugin: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-patc

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Jason van Zyl
You can use 3.x, I removed the site stuff from the lifecycle :-) On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: > Fair enough, but we cannot make releases as things currently stand > > 2010/1/12 Jason van Zyl : >> The site stuff needs to be completely decoupled from releases. It such a >>

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl : > The site stuff needs to be completely decoupled from releases. It such a > horrible coupling and causes nothing but problems. Release and the > documentation that goes along with it are completely sepa

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Jason van Zyl
The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: > > Why does the site descriptor need to be

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Daniel Kulp
Why does the site descriptor need to be "released" as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: > I've raised http://jira.codehaus.org/

Re: repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly : > For some reason the site descriptor does not g

repository.apache.org, gpg signatures and site:attach-descriptor

2010-01-12 Thread Stephen Connolly
For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen --