On Thu, 6 Oct 2022 at 16:09, Gilles Sadowski <gillese...@gmail.com> wrote:
> > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Tue Oct 04 13:00:24 BST 2022 > > > commons-rng-1.5-bin.tar.gz=9e98092cb123a1873cc4ab05ebd87681b9f5fe171ad53cd00488c33e0ab2c7fb8a0bdd9c903a3bde7bc2e4f4035b07cf223b0d921e35d00fcea226ec16f86b5c > > > commons-rng-1.5-bin.zip=ad01629da0ef089641c4a7a8fed8e2dd9f1ed0fec3e9cc6fd19df22e0516bc8c1a4699a8d2104b5878a13ad9fbec724b85ca0a71c1e3027673cbcab8a5911b30 > > > commons-rng-1.5-src.tar.gz=7fdfcd9ee43ac51f73eb6781d8fae7f313bf20658af84383ff791779def56c690458b99f2e996ce7fec8588db3218f23eea6dc6c2ff7d692f4209b78eb4b4dd8 > > > commons-rng-1.5-src.zip=e1624601d449eecca660839b592c4deb7386ef77a09d613002e8220149f244cbb5bc70c08100fe27eb0d448efea7aef8ac1ebe26f416d846ba3bccd4f43d82e5 > > > > Signatures may be validated on a system supporting a bash unix shell by > > executing: > > svn co https://dist.apache.org/repos/dist/dev/commons/rng/1.5-RC1/ > > cd 1.5-RC1 > > chmod +x ./signature-validator.sh > > for m in client-api core simple sampling bom; do > > ./signature-validator.sh > > > https://repository.apache.org/content/repositories/orgapachecommons-1596/org/apache/commons/commons-rng-${m}/1.5/ > ; > > done > > The output of this script without argument ends with > ---CUT--- > SUCCESSFUL VALIDATION > ---CUT--- > [Of course there are also hints that something went wrong, but the > final line is misleading.] > > Suggestions: > 1. Could the validating script be tailored to the corresponding release > (i.e. the above lines would be included (together with code that collects > all errors if multiple artefacts/modules must be checked)? > [The script itself would thus change for each component and release.] > 2. The above command line (bash loop) fails (although reporting success > as noted above) because the URL is not on the same line as > ./signature-validator.sh > > Signatures checked. > > I've not used the signature-validator script before. I presume it is deployed by the commons release plugin. I just pasted in a command that worked for me locally. I hope that it did pull down artifacts for you. When used incorrectly it retrieves the src/bin archives but nothing from the nexus repo. In that case it should be made to error but instead it silently pulls down nothing and says that (nothing) is OK. It could be made to accept multiple arguments for each module to pull them all down from the staged nexus repo. The release plugin generates the vote email so the command could be added in that. It is something I may look into. However it may not strictly be necessary for the nexus artifacts. I think nexus validates the artifacts match the checksums anyway. For the first release candidate the .asc file did not match the bom artifact and nexus had an error when trying to close the repo. So it does at least check the .asc files. The validator does download the source and binary distributions and validate those. These are not part of nexus and so it is useful to check the official releases. > > > > Details of changes since 1.4 are in the release notes: > > > > > https://dist.apache.org/repos/dist/dev/commons/rng/1.5-RC1/RELEASE-NOTES.txt > > > > > https://home.apache.org/~aherbert/commons-rng-1.5-RC1-site/changes-report.html > > > > Site: > > > https://home.apache.org/~aherbert/commons-rng-1.5-RC1-site/index.html > > (note some *relative* links are broken and the 1.5 directories are > not > > yet created - these will be OK once the site is deployed.) > > Still wondering why the (expectedly broken) site is part of the > release review... > [It is possible to break the site afterwards too anyways ;-).] > > I think the 'broken links' just refers to links to other apache and commons websites (because some are relative and so require the site to be in the official location) and also to the 1.5 javadocs. These are not created until the vote has passed. But the 'Latest API docs (development)' link does work and will take you to the release javadocs. Alex
