[RESULT][VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0 - 2nd run

[Konrad Windszus]

Hi, 
the vote passes as follows:

+1 Tobias Bocanegra, Woonsan Ko, Konrad Windszus
No other votes have been cast

Thanks for voting. I'll push the release out.
Konrad

> On 10. Jan 2020, at 10:29, Konrad Windszus  wrote:
> 
> Hi,
> A (2nd) candidate for the Jackrabbit Filevault 3.4.2 release is available at:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/
> 
> The release candidate is a zip archive of the sources in:
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
> 
> The SHA1 checksum of the archive is 348e2724a164f6d4b6d9b4772aa73a92feb62f81.
> 
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault 3.4.2 348e2724a164f6d4b6d9b4772aa73a92feb62f81
> 
> ---
> 
> A (2nd) candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 
> release is available at:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
> 
> The release candidate is a zip archive of the sources in:
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
> 
> The SHA1 checksum of the archive is 0990e2ac152a99caab55e5f778459ebf9b411864
> 
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault-plugin 1.1.0 
> 0990e2ac152a99caab55e5f778459ebf9b411864
> 
> ---
> 
> A staged Maven repository for both is available for review at:
> https://repository.apache.org/content/repositories/orgapachejackrabbit-1478
> 
> Please vote on releasing these packages
> The vote is open for a minimum of 72 hours during business days and passes
> if a majority of at least three +1 Jackrabbit PMC votes are cast.
> The vote fails if not enough votes are cast after 1 week (5 business days).
> 
> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
> [ ] -1 Do not release these packages because...
> 
> 
> Thanks,
> Konrad
> 

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0 - 2nd run

[Tobias Bocanegra]

> [X] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2"
> and "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"

[INFO] 
[INFO] Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 
2019-04-05T04:00:29+09:00)
[INFO] OS name: "mac os x", version: "10.15.2", arch: "x86_64", family: "mac"
[INFO] Java version: 1.8.0_221, vendor: Oracle Corporation, runtime: 
/Library/Java/JavaVirtualMachines/jdk1.8.0_221.jdk/Contents/Home/jre
[INFO] MAVEN_OPTS:
[INFO] 
[INFO] ALL CHECKS OK
[INFO] 

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0 - 2nd run

[Woonsan Ko]

[X] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2"
and "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"

...where...

[INFO] Apache Maven 3.5.0 (ff8f5e7444045639af65f6095c62210b5713f426;
2017-04-03T15:39:06-04:00)
[INFO] OS name: "mac os x", version: "10.15.2", arch: "x86_64", family: "mac"
[INFO] Java version: 1.8.0_144, vendor: Oracle Corporation
[INFO] MAVEN_OPTS:

Regards,

Woonsan

On Fri, Jan 10, 2020 at 4:29 AM Konrad Windszus  wrote:
>
> Hi,
> A (2nd) candidate for the Jackrabbit Filevault 3.4.2 release is available at:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/
>
> The release candidate is a zip archive of the sources in:
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
>
> The SHA1 checksum of the archive is 348e2724a164f6d4b6d9b4772aa73a92feb62f81.
>
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault 3.4.2 348e2724a164f6d4b6d9b4772aa73a92feb62f81
>
> ---
>
> A (2nd) candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 
> release is available at:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
>
> The release candidate is a zip archive of the sources in:
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
>
> The SHA1 checksum of the archive is 0990e2ac152a99caab55e5f778459ebf9b411864
>
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault-plugin 1.1.0 
> 0990e2ac152a99caab55e5f778459ebf9b411864
>
> ---
>
> A staged Maven repository for both is available for review at:
> https://repository.apache.org/content/repositories/orgapachejackrabbit-1478
>
> Please vote on releasing these packages
> The vote is open for a minimum of 72 hours during business days and passes
> if a majority of at least three +1 Jackrabbit PMC votes are cast.
> The vote fails if not enough votes are cast after 1 week (5 business days).
>
> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
> [ ] -1 Do not release these packages because...
>
>
> Thanks,
> Konrad
>

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0 - 2nd run

[Konrad Windszus]

> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"

+1 from me.

All checks ok for both with

[INFO] 
[INFO] Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
[INFO] OS name: "mac os x", version: "10.15.2", arch: "x86_64", family: "mac"
[INFO] Java version: 1.8.0_222, vendor: AdoptOpenJDK, runtime: 
/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre
[INFO] MAVEN_OPTS: 
[INFO] 
[INFO] ALL CHECKS OK   
[INFO] 


Konrad

[VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0 - 2nd run

[Konrad Windszus]

Hi,
A (2nd) candidate for the Jackrabbit Filevault 3.4.2 release is available at:
https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/

The release candidate is a zip archive of the sources in:
https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/

The SHA1 checksum of the archive is 348e2724a164f6d4b6d9b4772aa73a92feb62f81.

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault 3.4.2 348e2724a164f6d4b6d9b4772aa73a92feb62f81

---

A (2nd) candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 
release is available at:
https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/

The release candidate is a zip archive of the sources in:
https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/

The SHA1 checksum of the archive is 0990e2ac152a99caab55e5f778459ebf9b411864

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault-plugin 1.1.0 
0990e2ac152a99caab55e5f778459ebf9b411864

---

A staged Maven repository for both is available for review at:
https://repository.apache.org/content/repositories/orgapachejackrabbit-1478

Please vote on releasing these packages
The vote is open for a minimum of 72 hours during business days and passes
if a majority of at least three +1 Jackrabbit PMC votes are cast.
The vote fails if not enough votes are cast after 1 week (5 business days).

[ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
"Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
[ ] -1 Do not release these packages because...


Thanks,
Konrad

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Tobias Bocanegra]

Hi Konrad,

I just built the trunk and it worked.

Ps: maybe we should add: `execute the check-release.sh` before sending the vote
To the releasing doc  [0]

[0] https://jackrabbit.apache.org/filevault/howto_release.html

On 10 Jan 2020, at 06:06, Konrad Windszus 
mailto:konra...@gmx.de>> wrote:



When I remove the . gitattributes from the checkout, I get the following error:

[ERROR] Failed to execute goal 
org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 1]
[ERROR]

@Toby: Can you check again in the latest trunk. I applied some fixes to ensure 
backwards compatibility and adjusted exported package versions accordingly.

Unfortunately the SVN->Git sync is broken (so Travis cannot verify), I opened 
https://issues.apache.org/jira/browse/INFRA-19690 to track that.

If you confirm I will respin the release tomorrow...
Thanks,
Konrad

check-release.sh bug (was: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0)

[Tobias Bocanegra]

Hi,


Then a problem with the script itself:

[INFO] 3. Verify checksums and signatures
[INFO]
[INFO]Verifying jackrabbit-filevault-3.4.2-src.zip...
gpg: assuming signed data in 
'./filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
gpg: Signature made Wed Jan  8 18:03:46 2020 JST
gpg:using RSA key D7742D58455ECC7C
gpg: Good signature from "Konrad Windszus 
mailto:k...@apache.org>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: B91A B7D2 121D C6B0 A61A  A182 D774 2D58 455E CC7C
[INFO]OK: jackrabbit-filevault-3.4.2-src.zip.asc
How do you usually sign keys?
I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS, is 
there anything more to do? I thought this would be enough for verification that 
the key belongs to me. Are the steps from 
https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file
 not enough? I am wondering why this hasn't been an issue with the last 
release...


So, although the verification failed, the script reports OK (same for sha1).
Note, after importing your key, the verification succeeds.

I don't think this is a problem on your side, but I didn't have your key in my 
keyring when executing the script:

gpg: Good signature from "Konrad Windszus 
mailto:k...@apache.org>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.

I would have expected the script to fail But maybe this is not a problem.

Regards, toby

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

> 
> When I remove the . gitattributes from the checkout, I get the following 
> error:
> 
> [ERROR] Failed to execute goal 
> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 1]
> [ERROR]

@Toby: Can you check again in the latest trunk. I applied some fixes to ensure 
backwards compatibility and adjusted exported package versions accordingly.

Unfortunately the SVN->Git sync is broken (so Travis cannot verify), I opened 
https://issues.apache.org/jira/browse/INFRA-19690 
 to track that.

If you confirm I will respin the release tomorrow...
Thanks,
Konrad

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

I figured it out.
Was just a wrong configuration of the maven-bundle-plugin.
https://github.com/apache/jackrabbit-filevault/blob/0b5716a2ffd3390731d7a3949e00dccf2e37b29a/parent/pom.xml#L193
 

 incorrectly took the last version as baseline (even a SNAPSHOT) (a regression 
of 
https://github.com/apache/jackrabbit-filevault/commit/de88f25ce2128b43781c1a25e57b8899c4f106b0
 
).
Sticking to the default is much more reasonable: 
https://felix.apache.org/components/bundle-plugin/baseline-mojo.html#comparisonVersion
 


Fixed in http://svn.apache.org/viewvc?view=revision&revision=1872563 
.
Konrad

> On 9. Jan 2020, at 16:57, Konrad Windszus  wrote:
> 
> 
> 
>>> 
>>> When I remove the . gitattributes from the checkout, I get the following 
>>> error:
>>> 
>>> [ERROR] Failed to execute goal 
>>> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
>>> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 
>>> 1]
>>> [ERROR]
>>> 
>> I cannot reproduce, can you share the report?
> 
> Ok, I see what the issue is:
> For me it says:
> 
> [INFO] --- maven-bundle-plugin:4.2.1:baseline (baseline) @ 
> org.apache.jackrabbit.vault ---
> [INFO] Baseline Report - Generated by Apache Felix Maven Bundle Plugin on 
> 2020-01-09T16:45Z based on Bnd - see http://www.aqute.biz/Bnd/Bnd
> [INFO] Comparing bundle org.apache.jackrabbit.vault version 3.4.1-SNAPSHOT to 
> version 3.4.1-SNAPSHOT
> [INFO] 
> [INFO]   PACKAGE_NAME   DELTA  
> CUR_VERBASE_VER   REC_VERWARNINGS  
> [INFO] = == == 
> == == == ==
> [INFO]   org.apache.jackrabbit.vault.fs unchanged  2.4.0  
> 2.4.0  2.4.0  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.fs.api unchanged  2.7.1  
> 2.7.1  2.7.1  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.fs.config  unchanged  2.6.1  
> 2.6.1  2.6.1  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.fs.filter  unchanged  2.4.0  
> 2.4.0  2.4.0  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.fs.io  unchanged  2.9.1  
> 2.9.1  2.9.1  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.fs.spi unchanged  2.4.0  
> 2.4.0  2.4.0  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.packaging  unchanged  2.10.1 
> 2.10.1 2.10.1 - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.packaging.events   unchanged  1.0.1  
> 1.0.1  1.0.1  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.packaging.registry unchanged  1.3.0  
> 1.3.0  1.3.0  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.util   unchanged  2.4.0  
> 2.4.0  2.4.0  - 
> [INFO] 
> ---
> [INFO]   org.apache.jackrabbit.vault.util.xml.serialize unchanged  2.5.0  
> 2.5.0  2.5.0  - 
> [INFO] 
> ---
> [INFO] Baseline analysis complete, 0 error(s), 0 warning(s)
> 
> So obviously an incorrect version has been taken as baseline.
> 
> After manually executing "mvn 
> org.apache.felix:maven-bundle-plugin:4.2.1:baseline"
> I now get
> 
> [INFO] --- maven-bundle-plugin:4.2.1:baseline (default-cli) @ 
> org.apache.jackrabb

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

>> 
>> When I remove the . gitattributes from the checkout, I get the following 
>> error:
>> 
>> [ERROR] Failed to execute goal 
>> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
>> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 
>> 1]
>> [ERROR]
>> 
> I cannot reproduce, can you share the report?

Ok, I see what the issue is:
For me it says:

[INFO] --- maven-bundle-plugin:4.2.1:baseline (baseline) @ 
org.apache.jackrabbit.vault ---
[INFO] Baseline Report - Generated by Apache Felix Maven Bundle Plugin on 
2020-01-09T16:45Z based on Bnd - see http://www.aqute.biz/Bnd/Bnd
[INFO] Comparing bundle org.apache.jackrabbit.vault version 3.4.1-SNAPSHOT to 
version 3.4.1-SNAPSHOT
[INFO] 
[INFO]   PACKAGE_NAME   DELTA  CUR_VER  
  BASE_VER   REC_VERWARNINGS  
[INFO] = == == 
== == == ==
[INFO]   org.apache.jackrabbit.vault.fs unchanged  2.4.0
  2.4.0  2.4.0  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.fs.api unchanged  2.7.1
  2.7.1  2.7.1  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.fs.config  unchanged  2.6.1
  2.6.1  2.6.1  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.fs.filter  unchanged  2.4.0
  2.4.0  2.4.0  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.fs.io  unchanged  2.9.1
  2.9.1  2.9.1  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.fs.spi unchanged  2.4.0
  2.4.0  2.4.0  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.packaging  unchanged  2.10.1   
  2.10.1 2.10.1 - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.packaging.events   unchanged  1.0.1
  1.0.1  1.0.1  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.packaging.registry unchanged  1.3.0
  1.3.0  1.3.0  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.util   unchanged  2.4.0
  2.4.0  2.4.0  - 
[INFO] 
---
[INFO]   org.apache.jackrabbit.vault.util.xml.serialize unchanged  2.5.0
  2.5.0  2.5.0  - 
[INFO] 
---
[INFO] Baseline analysis complete, 0 error(s), 0 warning(s)

So obviously an incorrect version has been taken as baseline.

After manually executing "mvn 
org.apache.felix:maven-bundle-plugin:4.2.1:baseline"
I now get

[INFO] --- maven-bundle-plugin:4.2.1:baseline (default-cli) @ 
org.apache.jackrabbit.vault ---
[INFO] artifact org.apache.jackrabbit.vault:org.apache.jackrabbit.vault: 
checking for updates from nexus
[INFO] Baseline Report - Generated by Apache Felix Maven Bundle Plugin on 
2020-01-09T16:54Z based on Bnd - see http://www.aqute.biz/Bnd/Bnd
[INFO] Comparing bundle org.apache.jackrabbit.vault version 3.4.1-SNAPSHOT to 
version 3.4.0

Anyone ever observed this?
Thanks,
Konrad

Re: Cancel: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Julian Reschke]

On 09.01.2020 14:45, Konrad Windszus wrote:
> Is that still compatible with older AEM releases?

It is supposed to be. (We are talking about remoting over WebDAV/HTTP,
right?).

> ...

Best regards, Julian

Re: Cancel: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

Is that still compatible with older AEM releases?
I once asked about the dependency policy of Filevault in 
https://lists.apache.org/thread.html/96fd489ff06b12e58c5e43bde1d803f6d927524611f86c947efafb53%40%3Cdev.jackrabbit.apache.org%3E
 

 but never received any answer.
Right now we have a very high chance that with every dependency update we may 
break compatibility with older Sling/AEM distributions. Not everyone is running 
Filevault on the latest Oak/Jackrabbit.
Are there any other opinions about backwards-compatibility?

> On 9. Jan 2020, at 14:40, Julian Reschke  wrote:
> 
> On 09.01.2020 14:31, Konrad Windszus wrote:
>> Cancelling these two releases due to the findings from Toby.
> > ...
> 
> Could you please also update the Jackrabbit dependency to 2.20.0?
> 
> Best regards, Julian

Re: Cancel: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Julian Reschke]

On 09.01.2020 14:31, Konrad Windszus wrote:

Cancelling these two releases due to the findings from Toby.

> ...

Could you please also update the Jackrabbit dependency to 2.20.0?

Best regards, Julian

Cancel: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

Cancelling these two releases due to the findings from Toby.
Konrad

> On 9. Jan 2020, at 09:09, Konrad Windszus  wrote:
> 
> Thanks for the feedback and sorry for not being diligent enough with this 
> release.
> 
>> On 9. Jan 2020, at 03:08, Tobias Bocanegra > > wrote:
>> 
>> Also, I have several issues with the check:
>> 
>> [ERROR]   NOT OK: Tagged sources are different from those in the archive
>> Only in 
>> ./target/jackrabbit-filevault-3.4.2/svn/jackrabbit-filevault-3.4.2: 
>> .gitattributes
> 
> I am gonna fix this.
>> 
>> When I remove the . gitattributes from the checkout, I get the following 
>> error:
>> 
>> [ERROR] Failed to execute goal 
>> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
>> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 
>> 1]
>> [ERROR]
>> 
> I cannot reproduce, can you share the report?
>> 
>> Then a problem with the script itself:
>> 
>> [INFO] 3. Verify checksums and signatures
>> [INFO]
>> [INFO]Verifying jackrabbit-filevault-3.4.2-src.zip...
>> gpg: assuming signed data in 
>> './filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
>> gpg: Signature made Wed Jan  8 18:03:46 2020 JST
>> gpg:using RSA key D7742D58455ECC7C
>> gpg: Good signature from "Konrad Windszus > >" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:  There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: B91A B7D2 121D C6B0 A61A  A182 D774 2D58 455E CC7C
>> [INFO]OK: jackrabbit-filevault-3.4.2-src.zip.asc
> How do you usually sign keys?
> I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS 
> , is there 
> anything more to do? I thought this would be enough for verification that the 
> key belongs to me. Are the steps from 
> https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file
>  
> 
>  not enough? I am wondering why this hasn't been an issue with the last 
> release...
> 
>> 
>> So, although the verification failed, the script reports OK (same for sha1).
>> Note, after importing your key, the verification succeeds.
>> 
>> 
>> As for the plugin:
>> The 1.0.4 release notes are included:
>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md
>>  
>> 
> Indeed, I am gonna fix
>> 
>> 
>> The the same problem with he gitattributes:
>> 
>> Only in 
>> ./target/filevault-package-maven-plugin-1.1.0/svn/filevault-package-maven-plugin-1.1.0/src/test/resources/test-projects/filtering-tests:
>>  .gitattributes
>> [ERROR]   NOT OK: Tagged sources are different from those in the archive
>> 
>> ---
>> 
>> So:
>> 
>> -1 Do not release these packages because, the baseline check of filevault 
>> fails, and the release notes in the plugin are wrong.
>> 
>> Regards, Toby
>> 
>> 
>>> On 9 Jan 2020, at 10:42, Tobias Bocanegra >> > wrote:
>>> 
>>> Hi Konrad, 
>>> Thanks for the releases..are the 2 releases dependent on each other? 
>>> Otherwise I would create 2 vote requests
>>> In order to reduce the chance that if 1 release gets rejected, the other is 
>>> also invalid.
>>> 
>>> Regards, Toby
>>> 
 On 8 Jan 2020, at 18:50, Konrad Windszus >>> > wrote:
 
 Hi,
 A candidate for the Jackrabbit Filevault 3.4.2 release is available at:
 
 https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/ 
 
 
 The release candidate is a zip archive of the sources in:
 
 https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
  
 
 
 The SHA1 checksum of the archive is 
 5a4b4714387e9195bed13aa79d2659f67958a73b.
 
 The command for running automated checks against this release candidate is:
 $ sh check-release.sh filevault 3.4.2 
 5a4b4714387e9195bed13aa79d2659f67958a73b
 
 A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 
 release is available at:
 https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
  
 
 
 The release candidate is a zip archive of the sources in:
 https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

Thanks for the feedback and sorry for not being diligent enough with this 
release.

> On 9. Jan 2020, at 03:08, Tobias Bocanegra  wrote:
> 
> Also, I have several issues with the check:
> 
> [ERROR]   NOT OK: Tagged sources are different from those in the archive
> Only in 
> ./target/jackrabbit-filevault-3.4.2/svn/jackrabbit-filevault-3.4.2: 
> .gitattributes

I am gonna fix this.
> 
> When I remove the . gitattributes from the checkout, I get the following 
> error:
> 
> [ERROR] Failed to execute goal 
> org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
> org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 1]
> [ERROR]
> 
I cannot reproduce, can you share the report?
> 
> Then a problem with the script itself:
> 
> [INFO] 3. Verify checksums and signatures
> [INFO]
> [INFO]Verifying jackrabbit-filevault-3.4.2-src.zip...
> gpg: assuming signed data in 
> './filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
> gpg: Signature made Wed Jan  8 18:03:46 2020 JST
> gpg:using RSA key D7742D58455ECC7C
> gpg: Good signature from "Konrad Windszus  >" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the owner.
> Primary key fingerprint: B91A B7D2 121D C6B0 A61A  A182 D774 2D58 455E CC7C
> [INFO]OK: jackrabbit-filevault-3.4.2-src.zip.asc
How do you usually sign keys?
I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS 
, is there anything 
more to do? I thought this would be enough for verification that the key 
belongs to me. Are the steps from 
https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file
 

 not enough? I am wondering why this hasn't been an issue with the last 
release...

> 
> So, although the verification failed, the script reports OK (same for sha1).
> Note, after importing your key, the verification succeeds.
> 
> 
> As for the plugin:
> The 1.0.4 release notes are included:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md
>  
> 
Indeed, I am gonna fix
> 
> 
> The the same problem with he gitattributes:
> 
> Only in 
> ./target/filevault-package-maven-plugin-1.1.0/svn/filevault-package-maven-plugin-1.1.0/src/test/resources/test-projects/filtering-tests:
>  .gitattributes
> [ERROR]   NOT OK: Tagged sources are different from those in the archive
> 
> ---
> 
> So:
> 
> -1 Do not release these packages because, the baseline check of filevault 
> fails, and the release notes in the plugin are wrong.
> 
> Regards, Toby
> 
> 
>> On 9 Jan 2020, at 10:42, Tobias Bocanegra > > wrote:
>> 
>> Hi Konrad, 
>> Thanks for the releases..are the 2 releases dependent on each other? 
>> Otherwise I would create 2 vote requests
>> In order to reduce the chance that if 1 release gets rejected, the other is 
>> also invalid.
>> 
>> Regards, Toby
>> 
>>> On 8 Jan 2020, at 18:50, Konrad Windszus >> > wrote:
>>> 
>>> Hi,
>>> A candidate for the Jackrabbit Filevault 3.4.2 release is available at:
>>> 
>>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/ 
>>> 
>>> 
>>> The release candidate is a zip archive of the sources in:
>>> 
>>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
>>> 
>>> The SHA1 checksum of the archive is 
>>> 5a4b4714387e9195bed13aa79d2659f67958a73b.
>>> 
>>> The command for running automated checks against this release candidate is:
>>> $ sh check-release.sh filevault 3.4.2 
>>> 5a4b4714387e9195bed13aa79d2659f67958a73b
>>> 
>>> A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release 
>>> is available at:
>>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
>>> 
>>> The release candidate is a zip archive of the sources in:
>>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
>>> 
>>> The SHA1 checksum of the archive is
>>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>>> 
>>> The command for running automated checks against this release candidate is:
>>> $ sh check-release.sh filevault-plugin 1.1.0 
>>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>>> 
>>> A staged Maven repository for both is available for review at:
>>> https://repository.apache.org/content/repositories/orgapachejackrabbit-1477
>>> 
>>> Please vote on releasing these packages
>>> The vote is open for a min

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

Hi Toby,
indeed the maven plugin depends on Filevault 3.4.2, therefore the VOTE on both.
Konrad

> On 9. Jan 2020, at 02:42, Tobias Bocanegra  wrote:
> 
> Hi Konrad, 
> Thanks for the releases..are the 2 releases dependent on each other? 
> Otherwise I would create 2 vote requests
> In order to reduce the chance that if 1 release gets rejected, the other is 
> also invalid.
> 
> Regards, Toby
> 
>> On 8 Jan 2020, at 18:50, Konrad Windszus  wrote:
>> 
>> Hi,
>> A candidate for the Jackrabbit Filevault 3.4.2 release is available at:
>> 
>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/
>> 
>> The release candidate is a zip archive of the sources in:
>> 
>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
>> 
>> The SHA1 checksum of the archive is 5a4b4714387e9195bed13aa79d2659f67958a73b.
>> 
>> The command for running automated checks against this release candidate is:
>> $ sh check-release.sh filevault 3.4.2 
>> 5a4b4714387e9195bed13aa79d2659f67958a73b
>> 
>> A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release 
>> is available at:
>> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
>> 
>> The release candidate is a zip archive of the sources in:
>> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
>> 
>> The SHA1 checksum of the archive is
>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>> 
>> The command for running automated checks against this release candidate is:
>> $ sh check-release.sh filevault-plugin 1.1.0 
>> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
>> 
>> A staged Maven repository for both is available for review at:
>> https://repository.apache.org/content/repositories/orgapachejackrabbit-1477
>> 
>> Please vote on releasing these packages
>> The vote is open for a minimum of 72 hours during business days and passes
>> if a majority of at least three +1 Jackrabbit PMC votes are cast.
>> The vote fails if not enough votes are cast after 1 week (5 business days).
>> 
>> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
>> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
>> [ ] -1 Do not release these packages because...
>> 
>> 
>> Thanks,
>> Konrad
> 

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Tobias Bocanegra]

Also, I have several issues with the check:

[ERROR]   NOT OK: Tagged sources are different from those in the archive
Only in ./target/jackrabbit-filevault-3.4.2/svn/jackrabbit-filevault-3.4.2: 
.gitattributes

When I remove the . gitattributes from the checkout, I get the following error:

[ERROR] Failed to execute goal 
org.apache.felix:maven-bundle-plugin:4.2.1:baseline (baseline) on project 
org.apache.jackrabbit.vault: Baseline failed, see generated report -> [Help 1]
[ERROR]


Then a problem with the script itself:

[INFO] 3. Verify checksums and signatures
[INFO]
[INFO]Verifying jackrabbit-filevault-3.4.2-src.zip...
gpg: assuming signed data in 
'./filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
gpg: Signature made Wed Jan  8 18:03:46 2020 JST
gpg:using RSA key D7742D58455ECC7C
gpg: Good signature from "Konrad Windszus 
mailto:k...@apache.org>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: B91A B7D2 121D C6B0 A61A  A182 D774 2D58 455E CC7C
[INFO]OK: jackrabbit-filevault-3.4.2-src.zip.asc

So, although the verification failed, the script reports OK (same for sha1).
Note, after importing your key, the verification succeeds.


As for the plugin:
The 1.0.4 release notes are included:
https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/RELEASE-NOTES.md


The the same problem with he gitattributes:

Only in 
./target/filevault-package-maven-plugin-1.1.0/svn/filevault-package-maven-plugin-1.1.0/src/test/resources/test-projects/filtering-tests:
 .gitattributes
[ERROR]   NOT OK: Tagged sources are different from those in the archive

---

So:

-1 Do not release these packages because, the baseline check of filevault 
fails, and the release notes in the plugin are wrong.

Regards, Toby


On 9 Jan 2020, at 10:42, Tobias Bocanegra 
mailto:tri...@adobe.com>> wrote:

Hi Konrad,
Thanks for the releases..are the 2 releases dependent on each other? Otherwise 
I would create 2 vote requests
In order to reduce the chance that if 1 release gets rejected, the other is 
also invalid.

Regards, Toby

On 8 Jan 2020, at 18:50, Konrad Windszus 
mailto:konra...@gmx.de>> wrote:

Hi,
A candidate for the Jackrabbit Filevault 3.4.2 release is available at:

https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/

The release candidate is a zip archive of the sources in:

https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/

The SHA1 checksum of the archive is 5a4b4714387e9195bed13aa79d2659f67958a73b.

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault 3.4.2 5a4b4714387e9195bed13aa79d2659f67958a73b

A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release is 
available at:
https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/

The release candidate is a zip archive of the sources in:
https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/

The SHA1 checksum of the archive is
4c8679b67b7d10ecc6ff7869f028ee872a6ee941

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault-plugin 1.1.0 
4c8679b67b7d10ecc6ff7869f028ee872a6ee941

A staged Maven repository for both is available for review at:
https://repository.apache.org/content/repositories/orgapachejackrabbit-1477

Please vote on releasing these packages
The vote is open for a minimum of 72 hours during business days and passes
if a majority of at least three +1 Jackrabbit PMC votes are cast.
The vote fails if not enough votes are cast after 1 week (5 business days).

[ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
"Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
[ ] -1 Do not release these packages because...


Thanks,
Konrad

Re: [VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Tobias Bocanegra]

Hi Konrad, 
Thanks for the releases..are the 2 releases dependent on each other? Otherwise 
I would create 2 vote requests
In order to reduce the chance that if 1 release gets rejected, the other is 
also invalid.

Regards, Toby

> On 8 Jan 2020, at 18:50, Konrad Windszus  wrote:
> 
> Hi,
> A candidate for the Jackrabbit Filevault 3.4.2 release is available at:
> 
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/
> 
> The release candidate is a zip archive of the sources in:
> 
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/
> 
> The SHA1 checksum of the archive is 5a4b4714387e9195bed13aa79d2659f67958a73b.
> 
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault 3.4.2 5a4b4714387e9195bed13aa79d2659f67958a73b
> 
> A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release 
> is available at:
> https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/
> 
> The release candidate is a zip archive of the sources in:
> https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/
> 
> The SHA1 checksum of the archive is
> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
> 
> The command for running automated checks against this release candidate is:
> $ sh check-release.sh filevault-plugin 1.1.0 
> 4c8679b67b7d10ecc6ff7869f028ee872a6ee941
> 
> A staged Maven repository for both is available for review at:
> https://repository.apache.org/content/repositories/orgapachejackrabbit-1477
> 
> Please vote on releasing these packages
> The vote is open for a minimum of 72 hours during business days and passes
> if a majority of at least three +1 Jackrabbit PMC votes are cast.
> The vote fails if not enough votes are cast after 1 week (5 business days).
> 
> [ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
> "Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
> [ ] -1 Do not release these packages because...
> 
> 
> Thanks,
> Konrad

[VOTE] Release Apache Jackrabbit Filevault 3.4.2 and Filevault Package Maven Plugin 1.1.0

[Konrad Windszus]

Hi,
A candidate for the Jackrabbit Filevault 3.4.2 release is available at:

https://dist.apache.org/repos/dist/dev/jackrabbit/filevault/3.4.2/

The release candidate is a zip archive of the sources in:

https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/tags/jackrabbit-filevault-3.4.2/

The SHA1 checksum of the archive is 5a4b4714387e9195bed13aa79d2659f67958a73b.

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault 3.4.2 5a4b4714387e9195bed13aa79d2659f67958a73b

A candidate for the Jackrabbit Filevault Package Maven Plugin 1.1.0 release is 
available at:
https://dist.apache.org/repos/dist/dev/jackrabbit/filevault-package-maven-plugin/1.1.0/

The release candidate is a zip archive of the sources in:
https://svn.apache.org/repos/asf/jackrabbit/commons/filevault-package-maven-plugin/tags/filevault-package-maven-plugin-1.1.0/

The SHA1 checksum of the archive is
4c8679b67b7d10ecc6ff7869f028ee872a6ee941

The command for running automated checks against this release candidate is:
$ sh check-release.sh filevault-plugin 1.1.0 
4c8679b67b7d10ecc6ff7869f028ee872a6ee941

A staged Maven repository for both is available for review at:
https://repository.apache.org/content/repositories/orgapachejackrabbit-1477

Please vote on releasing these packages
The vote is open for a minimum of 72 hours during business days and passes
if a majority of at least three +1 Jackrabbit PMC votes are cast.
The vote fails if not enough votes are cast after 1 week (5 business days).

[ ] +1 Release these packages as "Apache Jackrabbit Filevault 3.4.2" and 
"Apache Jackrabbit Filevault Package Maven Plugin 1.1.0"
[ ] -1 Do not release these packages because...


Thanks,
Konrad