On Thu, 30 Apr 2026 at 18:12, Rob Tompkins <[email protected]> wrote:
> Or send a script that properly downloads all the artifacts from nexus and > svn, and computes all the md5 checksums, sha512s, and gpg signatures all > the while scanning across the directory structure. I spent over 80 hours on > my script so that I have time to validate releases. > I agree that manually validating can be time consuming. However we already have software tools available to help. Regarding the GPG signatures the vote only concerns the 4 release artifacts. This is no different than any other commons release regarding verifying signatures. I believe your release helper script will validate the source and binary distributions as it does for all other commons releases. If you wish to verify the additional Maven artifacts (that are not official part of the release) then the validating a release section now contains this (which does not work without some caveats, see below): --- 4b) Check reproducibility To check that a build is reproducible, run: mvn clean verify artifact:compare -DskipTests -Dreference.repo= https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json' Note that this excludes SPDX files from the check. --- Caveats: 1. The timezone must match. 2. The JDK must match the one used for the release build. 3. For me, I had to exclude other SPDX files. This works on a different machine to the one I used for a release: # Use JDK 11 export TZ="Europe/London" mvn clean verify artifact:compare -DskipTests -Dreference.repo= https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json,*/*.spdx.rdf.xml' Regards, Alex > > -Tompkins > > > On Apr 30, 2026, at 1:09 PM, Rob Tompkins <[email protected]> wrote: > > > > There are too many modules. Either make the modules worthy of top level > projects or condence them I can not reasonably verify all the signatures of > all of the artifacts. > > > > -Tompkins > > > >> On Apr 27, 2026, at 6:58 AM, Alex Herbert <[email protected]> > wrote: > >> > >> We have fixed quite a few bugs and added some significant enhancements > >> since Apache Commons Statistics 1.2 was released, > >> so I would like to release Apache Commons Statistics 1.3. > >> > >> Apache Commons Statistics 1.3 RC1 is available for review here: > >> https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1 > (svn > >> revision 84131) > >> > >> The Git tag commons-statistics-1.3-RC1 commit for this RC is > >> commons-statistics-1.3-RC1, which you can browse here: > >> > >> > https://gitbox.apache.org/repos/asf?p=commons-statistics.git;a=commit;h=commons-statistics-1.3-RC1 > >> > >> You may checkout this tag using: > >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git > >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 > >> > >> Maven artifacts are here: > >> > >> > https://repository.apache.org/content/repositories/orgapachecommons-1933/org/apache/commons/ > >> > >> These are the artifacts and their hashes: > >> > >> #Release SHA-512s > >> #Mon Apr 27 11:43:04 BST 2026 > >> > commons-statistics-1.3-bin.tar.gz=e49b6d8f20a23995e38f92b2635398adf08683f27b7045590dd3eb717eac6f4a9f02969b2ca52998afc178ad5547ae5fbb5784d4874fd8ffe2a99a86000767ff > >> > commons-statistics-1.3-bin.zip=53e30beae556be7d7d73a9b244519695eaa7e041119953d6c9b34bafc7cd7edbf31ca79c1936539bddf71de3a510bb363249580d7f9477a2fc0d27e48c4e9ed5 > >> > commons-statistics-1.3-src.tar.gz=441f94f072eb43e070843ea254ad7b907a1b8c3ea5213e0210801a989c7376e5fb9d840cbe6260bc13d3b16d2dc80b4d14e3edd1088e16b6fe906c2b216c792a > >> > commons-statistics-1.3-src.zip=b7259bbc4f576050b05a1e9e327a5a862a9eeb1c51ae9f6a92116f95828a2da642807517af1ad893e25203284ac2f205ecfe42c66f2c64aaff72cebc4ad36ccb > >> > >> I have tested this with 'mvn clean install' and 'mvn clean install site > >> site:stage -Pexamples' using: > >> > >> Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) > >> Maven home: /Users/ah403/mvn/mvn > >> Java version: 11.0.29, vendor: Eclipse Adoptium, runtime: > >> /Library/Java/JavaVirtualMachines/temurin-11.jdk/Contents/Home > >> Default locale: en_GB, platform encoding: UTF-8 > >> OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" > >> > >> Details of changes since 1.2 are in the release notes: > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/RELEASE-NOTES.txt > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/changes.html > >> > >> Site: > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/index.html > >> (note some *relative* links are broken and the 1.3 directories are not > >> yet created - these will be OK once the site is deployed.) > >> > >> JApiCmp Report: > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-descriptive/japicmp.html > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-distribution/japicmp.html > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-inference/japicmp.html > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-interval/japicmp.html > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/commons-statistics-ranking/japicmp.html > >> > >> RAT Report: > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/site/rat-report.html > >> > >> KEYS: > >> https://downloads.apache.org/commons/KEYS > >> > >> Please review the release candidate and vote. > >> This vote will close no sooner than 72 hours from now. > >> > >> [ ] +1 Release these artifacts > >> [ ] +0 OK, but... > >> [ ] -0 OK, but really should fix... > >> [ ] -1 I oppose this release because... > >> > >> Thank you, > >> > >> Alex Herbert, > >> Release Manager (using key BC87A3FD0A54480F0BADBEBD21939FF0CA2A6567) > >> > >> The following is intended as a helper and refresher for reviewers. > >> > >> Validating a release candidate > >> ============================== > >> > >> These guidelines are NOT complete. > >> > >> Requirements: Git, Java, and Maven. > >> > >> You can validate a release from a release candidate (RC) tag as follows. > >> > >> 1a) Download and decompress the source archive from: > >> > >> > https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1/source > >> > >> 1b) Check out the RC tag from git (optional) > >> > >> This is optional, as a reviewer must at least check source > distributions. > >> > >> git clone https://gitbox.apache.org/repos/asf/commons-statistics.git > >> --branch commons-statistics-1.3-RC1 commons-statistics-1.3-RC1 > >> cd commons-statistics-1.3-RC1 > >> > >> 2) Check Apache licenses > >> > >> This step is not required if the site includes a RAT report page, which > you > >> then must check. > >> This check should be included in the default Maven build, but you can > check > >> it with: > >> > >> mvn apache-rat:check > >> > >> 3) Check binary compatibility > >> > >> This step is not required if the site includes a JApiCmp report page, > which > >> you then must check. > >> This check should be included in the default Maven build, but you can > check > >> it with: > >> > >> mvn verify -DskipTests -P japicmp japicmp:cmp > >> > >> 4) Build the package > >> > >> This check should be included in the default Maven build, but you can > check > >> it with: > >> > >> mvn -V clean package > >> > >> You can record the Maven and Java version produced by -V in your VOTE > reply. > >> To gather OS information from a command line: > >> Windows: ver > >> Linux: uname -a > >> > >> 4b) Check reproducibility > >> > >> To check that a build is reproducible, run: > >> > >> mvn clean verify artifact:compare -DskipTests -Dreference.repo= > >> https://repository.apache.org/content/repositories/staging/ > >> '-Dbuildinfo.ignore=*/*.spdx.json' > >> > >> Note that this excludes SPDX files from the check. > >> > >> 5) Build the site for a multi-module project > >> > >> mvn site > >> mvn site:stage > >> Check the site reports in: > >> - Windows: target\site\index.html > >> - Linux: target/site/index.html > >> > >> Note that the project reports are created for each module. > >> Modules can be accessed using the 'Project Modules' link under > >> the 'Project Information' menu (see <path-to-site>/modules.html). > >> > >> -the end- > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
