I checked: * 1.2.0-M2 corresponds to a75dde28fe9e340a2f89c349f05a4ee5281417be * sha512 of the 2 source archives match a64cd4d283ca0afa2351ee208de5617fe568e885ea764fd52037e91714a4a1f3ffbe10217a520d1d89722acf0a31576144b71a49c13bd10fe03689a7565a1a82 and d9326c635bc316465e47a38a894635e192b069576a07163749bf2969f9096912ddc714264e3ecab05b4cee9d08ddbed3e27e76cf119684673a182aa291211c90 * No relevant differences between git and the 2 archives * Both source archives are signed by Gary's key from KEYS * 'mvn' succeeds * the staged artifacts reproduce when ignoring the CycloneCX SBOMs and building with jdk21
I only spot-checked the code changes relative to M2. This is my +1 Versions used: Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) Maven home: /nix/store/jpzwha9v268cka0vnfyi3i4jy5jflqnh-maven-3.9.9/maven Java version: 21.0.7, vendor: N/A, runtime: /nix/store/qagnl38l96xcbx17ll0v9zswhcl1nqw6-openjdk-21.0.7+6/lib/openjdk Default locale: en_DK, platform encoding: UTF-8 OS name: "linux", version: "6.12.22", arch: "amd64", family: "unix" On Fri, May 9, 2025 at 3:02 AM Gary Gregory <ggreg...@apache.org> wrote: > > We have fixed a few bugs and added enhancements since Apache Commons > FileUpload 2.0.0-M2 was released, so I would like to release Apache > Commons FileUpload 2.0.0-M3. > > Apache Commons FileUpload 2.0.0-M3 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1 > (svn revision 76739) > > The Git tag commons-fileupload-2.0.0-M3-RC1 commit for this RC is > a75dde28fe9e340a2f89c349f05a4ee5281417be which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-fileupload.git;a=commit;h=a75dde28fe9e340a2f89c349f05a4ee5281417be > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-fileupload.git > --branch commons-fileupload-2.0.0-M3-RC1 > commons-fileupload-2.0.0-M3-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1834/org/apache/commons/ > > These are the artifacts and their hashes: > > ${commons.sha512list} > > > I have tested this with 'mvn' and 'mvn clean site' using: > > Details of changes since 2.0.0-M2 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1/site/index.html > (note some *relative* links are broken and the 2.0.0-M3 > directories are not yet created - these will be OK once the site is > deployed.) > > JApiCmp Report: There is no report because this is a milestone to a > new major release with a new package name. > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, and Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Download and decompress the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/fileupload/2.0.0-M3-RC1/source > > 1b) Check out the RC tag from git (optional) > > This is optional, as a reviewer must check source distributions as a minimum. > > git clone https://gitbox.apache.org/repos/asf/commons-fileupload.git > --branch commons-fileupload-2.0.0-M3-RC1 > commons-fileupload-2.0.0-M3-RC1 > cd commons-fileupload-2.0.0-M3-RC1 > > 2) Checking the build > > All components should include a default Maven goal, such that you can > run 'mvn' from the command line by itself. > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn apache-rat:check > > 3) Check binary compatibility > > This step is not required if the site includes a JApiCmp report page > which you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn verify -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > This check should be included in the default Maven build, but you can > check it with: > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests > -Dreference.repo=https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > 6) Build the site for a multi-module project > > mvn site > mvn site:stage > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > Note that the project reports are created for each module. > Modules can be accessed using the 'Project Modules' link under > the 'Project Information' menu (see <path-to-site>/modules.html). > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
