On Sat, Feb 25, 2012 at 12:25:49PM +0000, sebb wrote: > On 25 February 2012 09:59, Gilles Sadowski <gil...@harfang.homelinux.org> > wrote: > > Hello. > > > >> > > >> > How do we proceed from here in order to release 3.0? Cf. ticket MATH-746, > >> > "Things to do before releasing 3.0". > >> > >> Sorry for being late on this. > >> > >> > > >> > Can we start to talk about an expected release date? > >> > >> I guess you did a wonderful job for closing everything. As it is clean > >> enough, I think we could even skip the step of using a release branch > >> and we could simply tag the release candidates from the trunk. This > >> would simply imply refraining from any change which is not related to > >> the release for a few days. > >> > >> Someone has to volunteer to act as the release manager. The task is > >> simply to perform the few commands described for example here: > >> <http://wiki.apache.org/commons/UsingNexus>. The release manager also > >> signs the packages using a gpg key, which should be put in the global > >> KEYS file. This file can be retrieved using the following svn command: > >> > >> svn checkout --depth=immediates \ > >> https://[your-commiter-id]@svn.apache.org/repos/asf/commons/trunks-proper > >> > >> The artifacts for the release candidate must be made available and a > >> VOTE thread must be started on the dev list for at least 72 hours (see > >> <http://www.apache.org/foundation/voting.html>). There can be several > >> release candidate before a version finally goes out (when I release > >> version 2.0 I think, we needed 6 candidates ...). When the vote passes, > >> the exact artifacts which were used for voting will be published by > >> uploading the source and binary zip and tar files and by promoting the > >> maven artifacts with Nexus. Not a single bit is changed (this would > >> change the gpg signatures). This means that for example the release date > >> which appears in the release notes must be estimated before the vote > >> taking the voting delay into account (plus one or two days as a safety > >> margin) and it must be updated as each release candidate is cut. > >> > >> So there is no predefined release date until the vote finally passes. > >> > >> At the pace at which you go now, I would say we could target a first > >> release candidate early next week. > >> > >> Any volunteer as release manager ? > > > > OK, I started to try the commands listed in the "UsingNexus" file. Not > > everything works directly... [maven2 could not find a plugin, which led me > > Which plugin?
I couldn't tell you now because installing maven3 implied desinstalling maven2. > > > to upgrade to maven3, which printed a warning about "parent" being a broken > > project, etc.] This is the warning from maven3: ---CUT--- [WARNING] [WARNING] Some problems were encountered while building the effective model for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-idea-plugin is missing. @org.apache.commons:commons-parent:20, /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, line 316, column 15 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] ---CUT--- > > > > I don't know maven (apart from the basics to build CM) so, it is not always > > obvious which are the mandatory steps and what result must be observed in > > order to check that everything went fine... > > > > For the encryption key: I was always advised against writing a passphrase in > > clear in a file; maven seems to support asking for the passphrase but when > > it prints: > > ---CUT--- > > Enter passphrase: gpg: gpg-agent is not available in this session > > ---CUT--- > > When I enter the passphrase, it just prints that same message again... > > Works for me using Maven 2.2.1 and 3.0.4 Maven version is also 3.0.4 here. > > Which version of gpg have you installed locally? ---CUT--- $ gpg --version gpg (GnuPG) 1.4.11 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ---CUT--- > > To test it out, just use > > mvn gpg:sign > > It will fail later as it needs package first. This seems to work (if this is where you expected it to fail); it produces: ---CUT--- [INFO] Scanning for projects... [WARNING] [WARNING] Some problems were encountered while building the effective model for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-idea-plugin is missing. @org.apache.commons:commons-parent:20, /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, line 316, column 15 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Building Commons Math 3.0-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-gpg-plugin:1.1:sign (default-cli) @ commons-math3 --- GPG Passphrase: ******************************* [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 11.345s [INFO] Finished at: Mon Feb 27 13:05:15 CET 2012 [INFO] Final Memory: 9M/105M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default-cli) on project commons-math3: The project artifact has not been assembled yet. Please do not invoke this goal before the lifecycle phase "package". -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException ---CUT--- However, when I run $ mvn clean deploy -Papache-release -Ptest-deploy I get: ---CUT--- [INFO] Parent project loaded from repository. [INFO] [INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 --- You need a passphrase to unlock the secret key for user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" 1024-bit DSA key, ID 51D05641, created 2003-09-28 Enter passphrase: gpg: gpg-agent is not available in this session You need a passphrase to unlock the secret key for user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" 1024-bit DSA key, ID 51D05641, created 2003-09-28 Enter passphrase: gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" 1024-bit DSA key, ID 51D05641, created 2003-09-28 Enter passphrase: gpg: gpg-agent is not available in this session [... and so on ...] ---CUT--- > > [I guess I'll create a dummy key and store the passphrase in "settings.xml" > > just for this to work...] > > You can use encrypted passwords: > > http://maven.apache.org/guides/mini/guide-encryption.html I had read it, but didn't think it would work for the <gpg.passphrase></gpg.passphrase> tag. Anyway, I encrypted the pass phrase using $ mvn --encrypt-password "my pass phrase" put the result in the above tag, and got: ---CUT--- INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 --- gpg: skipped "Gilles Sadowski (ASF code signing) <er...@apache.org>": bad passphrase gpg: signing failed: bad passphrase [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2:20.088s [INFO] Finished at: Mon Feb 27 13:15:10 CET 2012 [INFO] Final Memory: 36M/370M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default) on project commons-math3: Exit code: 2 -> [Help 1] ---CUT--- > > Better than plain text, but still not ideal if your host is not > physically secure. It would have been good enough if it worked. I must be missing some additional configuration... > > Can also store the master key on a removable USB stick. I'm not that paranoid ;-). It is encrypted, and stored in "settings-security.xml", only readable by me. And it serves only to run maven. It's just that storing the pass phrase of a general-purpose encrypting key, in clear text does not seem right. Thanks for any enlightenment as to what could cause this problem, Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
