Cloned and installed locally from the git tag. I updated Commons RNG to use parent 54 and tested with:
mvn clean package I had to add '.gitattributes' to a list of excluded files for the apache-rat plugin. Not a blocker but this could be moved to commons-parent. The new bill of materials generated by CycloneDX is generated for all modules and appears in the target directory. But there seems to be an issue with this process. I tested a release: mvn -Dcommons.release.dryRun=true -Ptest-deploy -Prelease clean verify deploy Here I get an error message from the install for the CycloneDX bom. [*ERROR*] Failed to execute goal org.apache.maven.plugins:maven-install-plugin:2.5.2:install *(default-install)* on project commons-rng-client-api: *Failed to install artifact org.apache.commons:commons-rng-client-api:xml:cyclonedx:1.5-SNAPSHOT: /Users/ah403/git/commons-rng/commons-rng-client-api/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml (No such file or directory)* -> *[Help 1]* The bom files are: ./target/commons-rng-parent-1.5-SNAPSHOT-bom.xml ./commons-rng-client-api/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml ./commons-rng-core/target/commons-rng-simple-1.5-SNAPSHOT-bom.xml ./commons-rng-core/target/commons-rng-core-1.5-SNAPSHOT-bom.xml ./commons-rng-core/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml ./commons-rng-core/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml ./commons-rng-core/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml ./commons-rng-simple/target/commons-rng-simple-1.5-SNAPSHOT-bom.xml ./commons-rng-simple/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml ./commons-rng-simple/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml ./commons-rng-simple/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml ./commons-rng-sampling/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml ./commons-rng-sampling/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml ./commons-rng-sampling/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml For some reason the CycloneDX bom for commons-rng-parent is placed in the target directory for all the child modules except commons-rng-client-api. So the install fails on this module. I do not know what is different about this module. It has no dependencies other than commons-rng-parent. The other modules are all dependent on it. It seems to be the issue that it is the first child module. A simpler multi-module project is Commons Statistics. It only has one child module. This works with CP 54 for 'mvn verify -Dspotbugs.skip -Dpmd.skip' (I did not suppress 'new' bugs found by an upgraded spotbugs and a weird PMD runtime error) but fails for 'mvn install -Dspotbugs.skip -Dpmd.skip' for the same error. So it seems in the first child module of the multi-module project the parent bom is not copied by cyclone DX. As a final test I tried with Commons Numbers. This again works for 'mvn verify' but not 'mvn install' with the same issue. The first child module is missing the bom for the parent module. Other child modules appear to have a bom for all their dependencies. I see that you did revert the Cyclone DX version to an earlier version due to issues with building the parent POM. So perhaps this is another bug in CycloneDX for multi-module builds. This is not a blocker as the plugin can simply be disabled. However it is not ideal as this plugin is meant to add traceability to the build and currently it does not work for multi-module projects as configured. Alex On Sun, 18 Sept 2022 at 22:39, Bruno Kinoshita <ki...@apache.org> wrote: > [x] +1 Release these artifacts > > Thanks! > > On Mon, 19 Sept 2022 at 03:47, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > We have fixed a few bugs and added enhancements since Apache Commons > > Parent 53 was released, so I would like to release Apache Commons > > Parent 54. > > > > Apache Commons Parent 54 RC1 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1 > > (svn revision 56878) > > > > The Git tag commons-parent-54-RC1 commit for this RC is > > efd8232f4811706ad21bc3583e32d2473256b8d8 which you can browse here: > > > > > https://gitbox.apache.org/repos/asf?p=commons-parent.git;a=commit;h=efd8232f4811706ad21bc3583e32d2473256b8d8 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-parent.git > > --branch <https://gitbox.apache.org/repos/asf/commons-parent.git--branch > > > > commons-parent-54-RC1 commons-parent-54-RC1 > > > > Maven artifacts are here: > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1594/org/apache/commons/commons-parent/54/ > > > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Sun Sep 18 11:32:16 EDT 2022 > > Apache\ Commons\ > > > > > Parent-54.spdx.rdf.xml=a5ca11505acdfefabc2bff44f52566220929d3f1b4b7164c9fea0adf4fcb8c04223f5e27089698615264e89a071400a72b19ffc54516343cacbfdeffcf3a7776 > > > > > commons-parent-54-bom.json=ce0bf440d926a725e840459034d59cfe9f9bfc5b9131bee087ed2e80859a8064a5efb2c8abeb9997b08ad8fe693b1a8587c38721cca7ff63701e1ee1407ac17c > > > > > commons-parent-54-bom.xml=2e2f29e1d26d9f5493ea83ea9707109f755fea41a16949f56438338875ee3e21c44a362d9f58c265bf43adb7a250647c463faa3275ba042eb8673686f6a29adf > > > > > commons-parent-54-site.xml=735ffceca46a0574d430b4e1213a2462b9475143c0788913312b8af117eaf3b7c02a075aaf6d9b30d2560822339651cb511b838f6c9f2bced46de1fc1227c5ff > > > > > commons-parent-54-src.tar.gz=7b800ea9fcb607e2e44dea906d203abdc4452872b207b4ae4229090c3e9dc471f53dea6515c487453eeb17aef833b7394ee00cb1a9edd424cfc7bb6860841e07 > > > > > commons-parent-54-src.zip=9b3674b54052c7b56e9f3b1fe5a8bdf6673007e2c1e9a9aff2491fefdc04554550a6725bc58fe92f3b417e1284e5a61b20004fbcf514f9df0e1ef832a56bc890 > > > > I have tested this with 'mvn -V -Duser.name=$my_apache_id > > -Ddoclint=none -Prelease -Ptest-deploy clean package site deploy' > > using: > > > > Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) > > Maven home: /usr/local/Cellar/maven/3.8.6/libexec > > Java version: 1.8.0_345, vendor: Homebrew, runtime: > > /usr/local/Cellar/openjdk@8 > > /1.8.0+345/libexec/openjdk.jdk/Contents/Home/jre > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "12.6", arch: "x86_64", family: "mac" > > > > Darwin ***.local 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 > > 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64 > > > > Details of changes since 53 are in the release notes: > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/RELEASE-NOTES.txt > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/changes-report.html > > > > Site: > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/index.html > > (note some *relative* links are broken and the 54 directories are > > not yet created - these will be OK once the site is deployed.) > > > > RAT Report: > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/rat-report.html > > > > KEYS: > > https://www.apache.org/dist/commons/KEYS > > > > Please review the release candidate and vote. > > This vote will close no sooner than 72 hours from now. > > > > [ ] +1 Release these artifacts > > [ ] +0 OK, but... > > [ ] -0 OK, but really should fix... > > [ ] -1 I oppose this release because... > > > > Thank you, > > > > Gary Gregory, > > Release Manager (using key 86fdc7e2a11262cb) > > > > For following is intended as a helper and refresher for reviewers. > > > > Validating a release candidate > > ============================== > > > > These guidelines are NOT complete. > > > > Requirements: Git, Java, Maven. > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > 1) Clone and checkout the RC tag > > > > git clone https://gitbox.apache.org/repos/asf/commons-parent.git > > --branch commons-parent-54-RC1 commons-parent-54-RC1 > > cd commons-parent-54-RC1 > > > > 2) Check Apache licenses > > > > This step is not required if the site includes a RAT report page which > > you then must check. > > > > mvn apache-rat:check > > > > 3) Build the package > > > > mvn -V clean verify > > > > You can record the Maven and Java version produced by -V in your VOTE > > reply. > > To gather OS information from a command line: > > Windows: ver > > Linux: uname -a > > > > 4) Build the site for a single module project > > > > Note: Some plugins require the components to be installed instead of > > packaged. > > > > mvn site > > Check the site reports in: > > - Windows: target\site\index.html > > - Linux: target/site/index.html > > > > -the end- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > >
