On Mon, 13 Jul 2020 at 15:15, Matt Sicker <boa...@gmail.com> wrote: > > I'm still of the opinion that verifying the GPG signature is logically > sufficient since they include the message digest by nature of how they > work. It is particularly useful because .asc files can be safely > mirrored unlike checksum files which can be maliciously modified.
Any checksums we publish must be correct, so we need to check them. Asc files are not mirrored. > On Sun, 12 Jul 2020 at 16:19, Rob Tompkins <chtom...@gmail.com> wrote: > > > > given the consistency of the signatures from the plugins…do we need to > > check them for releases anymore? I have been using shell scripts to > > validate all of the md5’s, sha1’s, sha512’s, and gpg signatures that come > > out of the process. > > > > @sebb or @markt do you have an opinion here? > > > > -Rob > > > > > On Jul 12, 2020, at 9:42 AM, Gary Gregory <ggreg...@apache.org> wrote: > > > > > > We have fixed quite a few bugs and added some significant enhancements > > > since Apache Commons Lang 3.10 was released, so I would like to release > > > Apache Commons Lang 3.11. > > > > > > Apache Commons Lang 3.11 RC2 is available for review here: > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2 (svn > > > revision 40434) > > > > > > The Git tag commons-lang-3.11-RC2 commit for this RC is > > > f62f0f59a33d2c42bd4236ea7122735de30d91fc which you can browse here: > > > > > > https://gitbox.apache.org/repos/asf?p=commons-lang.git;a=commit;h=f62f0f59a33d2c42bd4236ea7122735de30d91fc > > > You may checkout this tag using: > > > git clone https://gitbox.apache.org/repos/asf/commons-lang.git --branch > > > commons-lang-3.11-RC2 commons-lang-3.11-RC2 > > > > > > Maven artifacts are here: > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1506/org/apache/commons/commons-lang3/3.11/ > > > > > > These are the artifacts and their hashes: > > > > > > #Release SHA-512s > > > #Sun Jul 12 09:31:57 EDT 2020 > > > commons-lang3-3.11-bin.tar.gz=314ed5b2a0af658a008b0c6dbba0c79c8e465a413fa483b68eaa7d60ef6731ca12bd04fc5a1e7c4faab4eedfca48b1ebc51228dc4bbcc44287aac6805e41d8a1 > > > commons-lang3-3.11-bin.zip=e2406057b664b2c2230f8804ed442c72e28ab93e01cca1d46d4dbbd5b179f0fbc1f02218654b459718f483210cb5e3f8621d4f3c31f0b3bb3ff05f8913e18f6c > > > commons-lang3-3.11-javadoc.jar=ccba8259d8eb75c721145d0da24e04ccc20af485f010db424eae33e5b2563f878e03b498b5a8bb3db637ac1db5e14868f7356412f8679f6ce6ed82d9a0a62f4d > > > commons-lang3-3.11-sources.jar=b9c210c4c78823b5eb50f420791a0d6515bc8413bfff029d678aeea78331bba1c127557c0f67667c467a1f66b79806cc5ca18668e3ca55048eb50aaeccaea3e3 > > > commons-lang3-3.11-src.tar.gz=ebcb13e47c24e6984835d9d6904fe33077aa3ba781cd61db109fa7005517e4e74cf086c4789a1d65cf3d6c4924b32337c98827a75f91aab908d8e8b9d3b92087 > > > commons-lang3-3.11-src.zip=2c7f44f9a5c8d597595bdcd54905e08cf10260f265e194cb62c5142cd2573c2a59660f01760ff39442febf90e0c75aa377f91fc071fb1ab7bbc55c1476a9c363 > > > commons-lang3-3.11-test-sources.jar=93345fb5a4c148eaad3d814973520640fae5fde8e4c72eafade846dc557301b1569f07ad1cd4a6bf81e8893846388208cf36addec40a2d2d1fa8fd18ad112b49 > > > commons-lang3-3.11-tests.jar=a168e088e9993dcad96fe689d2a13d384b36b8dc93f19a92a34c93add3ce14388e8031d75bb378c0ebb30ec625d1a27e106c28a1a3f9001d5bf5b7c5cebde123 > > > > > > I have tested this with: > > > > > > mvn -V -Duser.name=%my_apache_id% > > > -Dcommons.release-plugin.version=%commons.release-plugin.version% > > > -Prelease > > > -Ptest-deploy -P jacoco -P japicmp clean package site deploy > > > > > > using: > > > > > > Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f) > > > Maven home: C:\Java\apache-maven-3.6.3\bin\.. > > > Java version: 1.8.0_251, vendor: Oracle Corporation, runtime: C:\Program > > > Files\Java\jdk1.8.0_251\jre > > > Default locale: en_US, platform encoding: Cp1252 > > > OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows" > > > > > > Details of changes since 3.10 are in the release notes: > > > > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2/RELEASE-NOTES.txt > > > > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2/site/changes-report.html > > > > > > Site: > > > > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2/site/index.html > > > (note some *relative* links are broken and the 3.11 directories are not > > > yet created - these will be OK once the site is deployed.) > > > > > > JApiCmp Report (compared to 3.10): > > > > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2/site/japicmp.html > > > > > > RAT Report: > > > > > > https://dist.apache.org/repos/dist/dev/commons/lang/3.11-RC2/site/rat-report.html > > > > > > KEYS: > > > https://www.apache.org/dist/commons/KEYS > > > > > > Please review the release candidate and vote. > > > This vote will close no sooner that 72 hours from now. > > > > > > [ ] +1 Release these artifacts > > > [ ] +0 OK, but... > > > [ ] -0 OK, but really should fix... > > > [ ] -1 I oppose this release because... > > > > > > Thank you, > > > > > > Gary Gregory, > > > Release Manager (using key 86fdc7e2a11262cb) > > > > > > For following is intended as a helper and refresher for reviewers. > > > > > > Validating a release candidate > > > ============================== > > > > > > These guidelines are NOT complete. > > > > > > Requirements: Git, Java, Maven. > > > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > > > 1) Clone and checkout the RC tag > > > > > > git clone https://gitbox.apache.org/repos/asf/commons-lang.git --branch > > > commons-lang-3.11-RC2 commons-lang-3.11-RC2 > > > cd commons-lang-3.11-RC2 > > > > > > 2) Check Apache licenses > > > > > > This step is not required if the site includes a RAT report page which you > > > then must check. > > > > > > mvn apache-rat:check > > > > > > 3) Check binary compatibility > > > > > > Older components still use Apache Clirr: > > > > > > This step is not required if the site includes a Clirr report page which > > > you then must check. > > > > > > mvn clirr:check > > > > > > Newer components use JApiCmp with the japicmp Maven Profile: > > > > > > This step is not required if the site includes a JApiCmp report page which > > > you then must check. > > > > > > mvn install -DskipTests -P japicmp japicmp:cmp > > > > > > 4) Build the package > > > > > > mvn -V clean package > > > > > > You can record the Maven and Java version produced by -V in your VOTE > > > reply. > > > To gather OS information from a command line: > > > Windows: ver > > > Linux: uname -a > > > > > > 5) Build the site for a single module project > > > > > > Note: Some plugins require the components to be installed instead of > > > packaged. > > > > > > mvn site > > > Check the site reports in: > > > - Windows: target\site\index.html > > > - Linux: target/site/index.html > > > > > > -the end- > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > -- > Matt Sicker <boa...@gmail.com> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
