On Mon, Jul 13, 2020 at 8:48 AM Rob Tompkins <chtom...@gmail.com> wrote:
> > > > On Jul 13, 2020, at 8:46 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > Is there still room for corruption after a vote passes when the files are > > moved in SVN from the dev to dist folder? > > Good question….but I would think we would notice that after the fact with > an alert like the ones that we’ve gotten about signatures not matching. So > I would think that we wouldn’t worry about it? > I hope not! ;-) Gary > > -Rob > > > > > Gary > > > > On Mon, Jul 13, 2020 at 8:29 AM Rob Tompkins <chtom...@gmail.com> wrote: > > > >> I’ll take the shell scripts that I’ve been using and enrich them a > little, > >> and then I’ll share them with folks.I think we can likely put them in > one > >> of the plugins so that folks can simply run the script to move and > download > >> all the artifacts in their checkout of the svn directory. > >> > >> Cheers, > >> -Rob > >> > >>> On Jul 13, 2020, at 8:12 AM, Rob Tompkins <chtom...@gmail.com> wrote: > >>> > >>> Yes…I agree with that need. I was wondering if the release plugin was > >> doing that or nexus itself was doing that. But, I definitely understand > >> that they show up in nexus when using the plugin. > >>> > >>> Cheers, > >>> -Rob > >>> > >>>> On Jul 13, 2020, at 8:10 AM, Gary Gregory <garydgreg...@gmail.com> > >> wrote: > >>>> > >>>> Rob, if you plan on working on the release plugin, can you see if > there > >> is > >>>> a way to have the VOTE not generate checksum lines for ASC files? IIRC > >> we > >>>> do not need checksums for ASC files. > >>>> > >>>> Speaking for corrupted uploads, does the Maven deploy goal check that > >> its > >>>> uploads are sane? > >>>> > >>>> Gary > >>>> > >>>> Gary > >>>> > >>>> On Mon, Jul 13, 2020, 08:04 Rob Tompkins <chtom...@gmail.com> wrote: > >>>> > >>>>> This all makes sense to me. Many thanks for the feedback here. > >>>>> > >>>>> Cheers, > >>>>> -Rob > >>>>> > >>>>>> On Jul 13, 2020, at 5:12 AM, Mark Thomas <ma...@apache.org> wrote: > >>>>>> > >>>>>> On 13/07/2020 06:43, Stefan Bodewig wrote: > >>>>>>> On 2020-07-12, Rob Tompkins wrote: > >>>>>>> > >>>>>>>> given the consistency of the signatures from the plugins…do we > need > >> to > >>>>>>>> check them for releases anymore? > >>>>>>> > >>>>>>> Yes, please. Not everybody uses the plugins and even if everybody > >> did a > >>>>>>> misconfiguration could be pulling in the wrong key or a key not > >>>>>>> available from the expected download location. > >>>>>> > >>>>>> +1, for several reasons > >>>>>> > >>>>>> It also catches corrupted uploads. > >>>>>> > >>>>>> It is simpler to fix during a release vote than after a release > where > >>>>>> we'd have to at least consider the possibility of malicious activity > >> and > >>>>>> respond accordingly until we could prove it wasn't. > >>>>>> > >>>>>> Mark > >>>>>> > >>>>>> > --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>>>>> For additional commands, e-mail: dev-h...@commons.apache.org > >>>>>> > >>>>> > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>>>> For additional commands, e-mail: dev-h...@commons.apache.org > >>>>> > >>>>> > >>> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
