I have: * checked out git tag commons-csv-1.13.0-RC1 * verified it corresponds to f2f1cffe53cde4b36623403bdc27855cec01fac2 * downloaded source zip and tgz * verified the hashes match 139a40878b45027d2b7b481eb0ec51f829c155747b096b4acb639ee18acc2b4c994232d623cd2bdf84d8147ec96a4cf9b327567435f2806f0dc9680115ca9f1d and 011143339d9e71b8319226fa58befeac34fc4ef0d4a2a3c53edefe67f6a5bc6a957eba0c1711f92f5a546fd1cc323e1dcf1ab10b0b9bf303130555d38fc3c2df * verified there are no meaningful differences between the tgz and git (though it's weird CSVBenchmark.java is missing from the tgz) * verified .zip and .tgz are signed by Gary's key from https://downloads.apache.org/commons/KEYS * checked 'mvn apache-rat:check' succeeds * built with Java 17.0.13 and verified the resulting jar is bit-by-bit identical to https://repository.apache.org/content/repositories/orgapachecommons-1802/org/apache/commons/commons-csv/1.13.0/commons-csv-1.13.0.jar * built the site. * checked the log4j-core-test testsuite still succeeds against this new version
It's unfortunate the hash of commons-codec in the cyclonedx is unexpected, but I'm not convinced this should require restarting the release yet. It might be good to drop the staging repository and rebuild (verifying the hashes are the same, except for the updated cyclonedx). This is my +1 On Wed, Jan 8, 2025 at 3:02 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > We have fixed a few bugs and added enhancements since Apache Commons > CSV 1.12.0 was released, so I would like to release Apache Commons CSV > 1.13.0. > > Apache Commons CSV 1.13.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1 (svn > revision 74044) > > The Git tag commons-csv-1.13.0-RC1 commit for this RC is > f2f1cffe53cde4b36623403bdc27855cec01fac2 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-csv.git;a=commit;h=f2f1cffe53cde4b36623403bdc27855cec01fac2 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-csv.git > --branch commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1802/org/apache/commons/commons-csv/1.13.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Wed Jan 08 13:52:37 UTC 2025 > commons-csv-1.13.0-bin.tar.gz=9928ba4d53401bd4010f8267cbb1ecc72bd601b002e3cf7d084a7f1378c7476cf669e54bd36655062dbd7aa9df445c893af7d04426b46c4c097634a30cc0cca2 > commons-csv-1.13.0-bin.zip=95564889cddfb7282f435eabceb22eb566507565d385da6f3f63ff822121b63b868bee71ad856227e88704c3832f195730dfd2aa222e04182fb185bc2e9c9e4f > commons-csv-1.13.0-bom.json=82851bffc898f281f3db36be064988b4c28cc9fc50514f4c5aa16bbbce531e177bb27b39e1828903ecdd5efa2cfa9959f8828b0335c913b76ffaf98bdfc96ada > commons-csv-1.13.0-bom.xml=01de7773c044f6b67416e64d037a54dbe23ae49c238a5a2d2545541519bfd9536f49eff5ea4b4612771545af63615631a3f6827865fcd2258247165bd196091f > commons-csv-1.13.0-javadoc.jar=57f3a60d12e6480989230d663fc9789a27a1be0133cea7b5ab04947eecbd15e241fdcde7448b1fe3a409c39a43ef365b92b4dc145b4f1e714eca1984db7afe7d > commons-csv-1.13.0-sources.jar=27aedde71ab0f0540c4d9b0828dd76e831bc84dda4bda5f5ea24e2c41ddb7cc5e0bf33a1acbe7c0f08b416915ce2ad08ecf4e75fb62a0be416e8ab99b4235c8b > commons-csv-1.13.0-src.tar.gz=139a40878b45027d2b7b481eb0ec51f829c155747b096b4acb639ee18acc2b4c994232d623cd2bdf84d8147ec96a4cf9b327567435f2806f0dc9680115ca9f1d > commons-csv-1.13.0-src.zip=011143339d9e71b8319226fa58befeac34fc4ef0d4a2a3c53edefe67f6a5bc6a957eba0c1711f92f5a546fd1cc323e1dcf1ab10b0b9bf303130555d38fc3c2df > commons-csv-1.13.0-test-sources.jar=8805e9761c808951f13ff9f5fdbd04d01128011c81e846ccc84afbd3593ddd538502c2716626db85e5ba93c90740cfe061de38cd322d5a32539c6c0e1b33f14e > commons-csv-1.13.0-tests.jar=ab0db37debd42bc8bfe164c7ff2c9d8767ad839b39207e7082aa09ce650b899871defe743dccc5bc83edaef6e74e12d09d927b0ae1580ccf581d88610044f7d3 > org.apache.commons_commons-csv-1.13.0.spdx.json=74c68940934a036ad9e9399c4cb818bf0075505c2736bbcee34b636916926f01cabe0c130184c30067c1a602483b54ce447de3953a12bf421f27eba8027930ae > > > I have tested this with 'mvn' and 'mvn -e -V -P release -P test-deploy > -P jacoco -P japicmp clean package site deploy' using: > > openjdk version "17.0.13" 2024-10-15 > OpenJDK Runtime Environment Homebrew (build 17.0.13+0) > OpenJDK 64-Bit Server VM Homebrew (build 17.0.13+0, mixed mode, sharing) > > Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) > Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec > Java version: 17.0.13, vendor: Homebrew, runtime: > /opt/homebrew/Cellar/openjdk@17/17.0.13/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "15.2", arch: "aarch64", family: "mac" > > Darwin ****.local 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 > 19:03:40 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6041 arm64 > Docker version 27.3.1, build ce12230 > > Details of changes since 1.12.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/index.html > (note some *relative* links are broken and the 1.13.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 1.12.0): > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Clone and checkout the RC tag > > git clone https://gitbox.apache.org/repos/asf/commons-csv.git --branch > commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > cd commons-csv-1.13.0-RC1 > > 1b) Download and unpack the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/source > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > > mvn apache-rat:check > > 3) Check binary compatibility > > Older components still use Apache Clirr: > > This step is not required if the site includes a Clirr report page > which you then must check. > > mvn clirr:check > > Newer components use JApiCmp with the japicmp Maven Profile: > > This step is not required if the site includes a JApiCmp report page > which you then must check. > > mvn install -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
