I have: * checked out git tag commons-pool-2.12.1-RC1 * verified it corresponds to a65fc3457817abf993fdb29b69912346a2b4838b * downloaded source zip and tgz * verified the hashes match c6c9731705c5d09f007a76350a35c3fb176184391923e8b1ab761b745f1256d79d0859b4f2802d065b6b9605174e771665debba26b4b1063d4941a49fa72d3e0 and 2d1f728b8f8d0d98d243350fe00ac85a2dbd1b84c81734cc0d353bb6d736acd9b8053f7755d7c90fe037e46ff2deb9c97551230ca67961a09b42baf398879cd5 * verified there are no meaningful differences between the tgz and git (though it's weird src/assembly is missing from the tgz) * verified .zip and .tgz are signed by Gary's key from https://downloads.apache.org/commons/KEYS * checked 'mvn' succeeds * built with Java 17.0.13 and ran the 'mvn verify artifact:compare' command from the instructions. This succeeds, but clearly does not check the assembly (as those cannot be built from the source release). * checked the testsuite of a number of openmeetings components still succeeds -against this new version
This is my +1, though we should probably figure out why the src/assembly isn't in the source release. On Mon, Jan 20, 2025 at 3:34 PM Gary Gregory <garydgreg...@gmail.com> wrote: > We have fixed a few bugs since Apache Commons Pool 2.12.0 was > released, so I would like to release Apache Commons Pool 2.12.1. > > Apache Commons Pool 2.12.1 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1 > (svn revision 74303) > > The Git tag commons-pool-2.12.1-RC1 commit for this RC is > a65fc3457817abf993fdb29b69912346a2b4838b which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-pool.git;a=commit;h=a65fc3457817abf993fdb29b69912346a2b4838b > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-pool.git > --branch <https://gitbox.apache.org/repos/asf/commons-pool.git--branch> > commons-pool-2.12.1-RC1 commons-pool-2.12.1-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1804/org/apache/commons/commons-pool2/2.12.1/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Mon Jan 20 14:20:01 UTC 2025 > > commons-pool2-2.12.1-bin.tar.gz=b9610b0437890cf3bcd50a384beb8f1ae34cf853fdb910ab715ea611a64e86d089d8bd12c90d1f09f76e15026c7ef6a96165d94e15a2bdbcb742c648aa86b575 > > commons-pool2-2.12.1-bin.zip=56e8519c10f83462e51498cfbc611cc3e25226c824b6c5dd272507f8c1c91aeae90b35978b13a5ec20e2feb5e9b044026eb14826e3ea5e5d6b8b9f039032c55d > > commons-pool2-2.12.1-bom.json=365460af3c2bf33eec17604e5b41bb98333eed8a9699f5335546f66938b3fefe8262e6c74cfbac4ab99b22643e9077addd070da79ee8728e99f5bea226621431 > > commons-pool2-2.12.1-bom.xml=97fb9114ba6c507f094fa8bc96f34a314ff68320d7113634e21e2687be8b13ee053bbf3b8da83de3f6ba5f1366398ce8f8b18b5e253e329f0a9174bd54da3f96 > > commons-pool2-2.12.1-javadoc.jar=2a5daf5f5ab84f4ae2f668a6a9243b9773d7fb828682c71c1f79770248c95b25c225e99e50edd13f2d68374f724841b9dc19df69b7c0802c9b459b60eadfe5e8 > > commons-pool2-2.12.1-sources.jar=c82e11087cdcb9230d5819ae6c6557d3520c68493f4bd3c124ea46b6d10c2647bd2f19426780c703477d1016880f6860b9dad5dae2da339ca489c3d04224c2dc > > commons-pool2-2.12.1-src.tar.gz=c6c9731705c5d09f007a76350a35c3fb176184391923e8b1ab761b745f1256d79d0859b4f2802d065b6b9605174e771665debba26b4b1063d4941a49fa72d3e0 > > commons-pool2-2.12.1-src.zip=2d1f728b8f8d0d98d243350fe00ac85a2dbd1b84c81734cc0d353bb6d736acd9b8053f7755d7c90fe037e46ff2deb9c97551230ca67961a09b42baf398879cd5 > > commons-pool2-2.12.1-test-sources.jar=e0e8ff2c4b08a444cad50faff0273eb02efdb90ec37ae09860a9760f206bf59c86fe728b35ab0d7e1eb87700152f0840cfbb41ff43cee164a08829f07084c7c1 > > commons-pool2-2.12.1-tests.jar=60ca4631b80d3306fdcdb090b925be0aaec7db0474b444c5ebb2ee5107fca0c87ecb719a9b3e2fce30a52c603ceaf03dda1ebc93563a4aef27b9287eb73e838e > > org.apache.commons_commons-pool2-2.12.1.spdx.json=327033a01c31eed5af8304e2b9bea202bf9d1a7c628561be8364aa7e163f1029111b50b8eaf8450fba687479b9f9430213767aa976d24f74a015da1186cf19ba > > > I have tested this with > - mvn > - mvn -e -V -P release -P test-deploy -P jacoco -P japicmp clean > package site deploy > - mvn clean verify artifact:compare -DskipTests > -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > openjdk version "17.0.13" 2024-10-15 > OpenJDK Runtime Environment Homebrew (build 17.0.13+0) > OpenJDK 64-Bit Server VM Homebrew (build 17.0.13+0, mixed mode, sharing) > > Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) > Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec > Java version: 17.0.13, vendor: Homebrew, runtime: > /opt/homebrew/Cellar/openjdk@17/17.0.13/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "15.2", arch: "aarch64", family: "mac" > > Darwin ****.local 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 > 19:03:40 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6041 arm64 > Docker version 27.3.1, build ce12230 > > > Details of changes since 2.12.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/site/index.html > (note some *relative* links are broken and the 2.12.1 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 2.12.0): > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, and Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Download and decompress the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/pool/2.12.1-RC1/source > > 1b) Check out the RC tag from git (optional) > > This is optional, as a reviewer must check source distributions as a > minimum. > > git clone https://gitbox.apache.org/repos/asf/commons-pool.git > --branch commons-pool-2.12.1-RC1 commons-pool-2.12.1-RC1 > cd commons-pool-2.12.1-RC1 > > 2) Checking the build > > All components should include a default Maven goal, such that you can > run 'mvn' from the command line by itself. > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn apache-rat:check > > 3) Check binary compatibility > > This step is not required if the site includes a JApiCmp report page > which you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn verify -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > This check should be included in the default Maven build, but you can > check it with: > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE > reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests > -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of > packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
