On 27 February 2012 12:27, Gilles Sadowski <gil...@harfang.homelinux.org> wrote: > On Sat, Feb 25, 2012 at 12:25:49PM +0000, sebb wrote: >> On 25 February 2012 09:59, Gilles Sadowski <gil...@harfang.homelinux.org> >> wrote: >> > Hello. >> > >> >> > >> >> > How do we proceed from here in order to release 3.0? Cf. ticket >> >> > MATH-746, >> >> > "Things to do before releasing 3.0". >> >> >> >> Sorry for being late on this. >> >> >> >> > >> >> > Can we start to talk about an expected release date? >> >> >> >> I guess you did a wonderful job for closing everything. As it is clean >> >> enough, I think we could even skip the step of using a release branch >> >> and we could simply tag the release candidates from the trunk. This >> >> would simply imply refraining from any change which is not related to >> >> the release for a few days. >> >> >> >> Someone has to volunteer to act as the release manager. The task is >> >> simply to perform the few commands described for example here: >> >> <http://wiki.apache.org/commons/UsingNexus>. The release manager also >> >> signs the packages using a gpg key, which should be put in the global >> >> KEYS file. This file can be retrieved using the following svn command: >> >> >> >> svn checkout --depth=immediates \ >> >> >> >> https://[your-commiter-id]@svn.apache.org/repos/asf/commons/trunks-proper >> >> >> >> The artifacts for the release candidate must be made available and a >> >> VOTE thread must be started on the dev list for at least 72 hours (see >> >> <http://www.apache.org/foundation/voting.html>). There can be several >> >> release candidate before a version finally goes out (when I release >> >> version 2.0 I think, we needed 6 candidates ...). When the vote passes, >> >> the exact artifacts which were used for voting will be published by >> >> uploading the source and binary zip and tar files and by promoting the >> >> maven artifacts with Nexus. Not a single bit is changed (this would >> >> change the gpg signatures). This means that for example the release date >> >> which appears in the release notes must be estimated before the vote >> >> taking the voting delay into account (plus one or two days as a safety >> >> margin) and it must be updated as each release candidate is cut. >> >> >> >> So there is no predefined release date until the vote finally passes. >> >> >> >> At the pace at which you go now, I would say we could target a first >> >> release candidate early next week. >> >> >> >> Any volunteer as release manager ? >> > >> > OK, I started to try the commands listed in the "UsingNexus" file. Not >> > everything works directly... [maven2 could not find a plugin, which led me >> >> Which plugin? > > I couldn't tell you now because installing maven3 implied desinstalling > maven2.
I've got both installed (Win XP) with no issues; I just change the PATH as needed to switch between them. >> >> > to upgrade to maven3, which printed a warning about "parent" being a broken >> > project, etc.] > > This is the warning from maven3: > ---CUT--- > [WARNING] > [WARNING] Some problems were encountered while building the effective model > for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT > [WARNING] 'build.plugins.plugin.version' for > org.apache.maven.plugins:maven-idea-plugin is missing. > @org.apache.commons:commons-parent:20, > /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, > line 316, column 15 > [WARNING] > [WARNING] It is highly recommended to fix these problems because they > threaten the stability of your build. > [WARNING] > [WARNING] For this reason, future Maven versions might no longer support > building such malformed projects. > [WARNING] > ---CUT--- Can ignore that - IDEA is used for reports only (if then). >> > >> > I don't know maven (apart from the basics to build CM) so, it is not always >> > obvious which are the mandatory steps and what result must be observed in >> > order to check that everything went fine... >> > >> > For the encryption key: I was always advised against writing a passphrase >> > in >> > clear in a file; maven seems to support asking for the passphrase but when >> > it prints: >> > ---CUT--- >> > Enter passphrase: gpg: gpg-agent is not available in this session >> > ---CUT--- >> > When I enter the passphrase, it just prints that same message again... >> >> Works for me using Maven 2.2.1 and 3.0.4 > > Maven version is also 3.0.4 here. > >> >> Which version of gpg have you installed locally? > > ---CUT--- > $ gpg --version > gpg (GnuPG) 1.4.11 > Copyright (C) 2010 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, > CAMELLIA192, CAMELLIA256 > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > ---CUT--- > >> >> To test it out, just use >> >> mvn gpg:sign >> >> It will fail later as it needs package first. > > This seems to work (if this is where you expected it to fail); it produces: > ---CUT--- > [INFO] Scanning for projects... > [WARNING] > [WARNING] Some problems were encountered while building the effective model > for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT > [WARNING] 'build.plugins.plugin.version' for > org.apache.maven.plugins:maven-idea-plugin is missing. > @org.apache.commons:commons-parent:20, > /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, > line 316, column 15 > [WARNING] > [WARNING] It is highly recommended to fix these problems because they > threaten the stability of your build. > [WARNING] > [WARNING] For this reason, future Maven versions might no longer support > building such malformed projects. > [WARNING] > [INFO] > [INFO] > ------------------------------------------------------------------------ > [INFO] Building Commons Math 3.0-SNAPSHOT > [INFO] > ------------------------------------------------------------------------ > [INFO] > [INFO] --- maven-gpg-plugin:1.1:sign (default-cli) @ commons-math3 --- > GPG Passphrase: ******************************* Good, so it does prompt. > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 11.345s > [INFO] Finished at: Mon Feb 27 13:05:15 CET 2012 > [INFO] Final Memory: 9M/105M > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default-cli) on project > commons-math3: The project artifact has not been assembled yet. Please do > not invoke this goal before the lifecycle phase "package". -> [Help 1] > [ERROR] > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e > switch. > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > [ERROR] > [ERROR] For more information about the errors and possible solutions, please > read the following articles: > [ERROR] [Help 1] > http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException > ---CUT--- > > However, when I run > > $ mvn clean deploy -Papache-release -Ptest-deploy Try using mvn clean package deploy -Prelease -Ptest-deploy instead. > I get: > > ---CUT--- > [INFO] Parent project loaded from repository. > [INFO] > [INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 --- > > You need a passphrase to unlock the secret key for > user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" > 1024-bit DSA key, ID 51D05641, created 2003-09-28 > > Enter passphrase: gpg: gpg-agent is not available in this session > > You need a passphrase to unlock the secret key for > user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" > 1024-bit DSA key, ID 51D05641, created 2003-09-28 > > Enter passphrase: gpg: Invalid passphrase; please try again ... > > You need a passphrase to unlock the secret key for > user: "Gilles Sadowski (ASF code signing) <er...@apache.org>" > 1024-bit DSA key, ID 51D05641, created 2003-09-28 > > Enter passphrase: gpg: gpg-agent is not available in this session > [... and so on ...] > ---CUT--- > > >> > [I guess I'll create a dummy key and store the passphrase in "settings.xml" >> > just for this to work...] >> >> You can use encrypted passwords: >> >> http://maven.apache.org/guides/mini/guide-encryption.html > > I had read it, but didn't think it would work for the > <gpg.passphrase></gpg.passphrase> > tag. > > Anyway, I encrypted the pass phrase using > > $ mvn --encrypt-password "my pass phrase" > > put the result in the above tag, and got: > ---CUT--- > INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 --- > gpg: skipped "Gilles Sadowski (ASF code signing) <er...@apache.org>": bad > passphrase > gpg: signing failed: bad passphrase Some encrypted passphrases can contain invalid characters; check that {} only appear at the ends. [Very poor design of the Maven decrypt routine - it should only check for {} at the ends of the value and so avoid the hassle of escaping chars] > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 2:20.088s > [INFO] Finished at: Mon Feb 27 13:15:10 CET 2012 > [INFO] Final Memory: 36M/370M > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default) on project > commons-math3: Exit code: 2 -> [Help 1] > ---CUT--- > >> >> Better than plain text, but still not ideal if your host is not >> physically secure. > > It would have been good enough if it worked. > I must be missing some additional configuration... Does the encryption setup work for logins, e.g. can you deploy snapshots? >> >> Can also store the master key on a removable USB stick. > > I'm not that paranoid ;-). It is encrypted, and stored in > "settings-security.xml", only readable by me. And it serves only to run > maven. > It's just that storing the pass phrase of a general-purpose encrypting key, > in clear text does not seem right. Agree. > > Thanks for any enlightenment as to what could cause this problem, > Gilles > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
