On Dec 3, 2016 9:34 AM, "Charles Honton" <c...@honton.org> wrote: > > To follow up the thread on releasing parent 42 and exactly what needs to signed, etc. I’ve researched asf release policy. Here’s the gist: > > 1. Every ASF release must contain a source package, which must be sufficient for a user to build and test the release provided they have access to the appropriate platform and tools. < http://www.apache.org/dev/release#what-must-every-release-contain> > > 2. A release isn't 'released' until the contents are in the project's distribution directory, which is a subdirectory of www.apache.org/dist/ < http://www.apache.org/dev/release#where-do-releases-go>. > > 3. Every artifact distributed to the public through Apache channels MUST be accompanied by one file containing an OpenPGP compatible ASCII armored detached signature and another file containing an MD5 checksum. < https://www.apache.org/dev/release-distribution.html#sigs-and-sums> > > What do we consider the source package for our releases? > Are the xxx-sources.jar, xxx-test-sources.jar, and pom sufficient to build and test the release?
Nope. A sources jar is a convenience for IDEs, it usually does not contain build scripts and such. I am AFK so I am hoping someone can provide an example. > Is the zip/gz just a convenience and is it still useful/required? That should contain almost everything that is in the repo except for things like old files like proposal.html. > Or is it the reverse, the zip/gz is the release and the jars are the convenience distributions? Yep. The release are the zip/gz sources. All binaries are conveniences. Granted that without a Maven Central jar release, a component is not easy to reuse. Gary > > regards, > chas