On Sat, Feb 2, 2013 at 10:19 PM, Branko Čibej <br...@apache.org> wrote: > On 02.02.2013 21:36, Branko Čibej wrote: >> On 23.01.2013 14:48, Simone Tripodi wrote: >>> SVN source tag >>> https://svn.apache.org/repos/asf/incubator/onami/tags/org.apache.onami.logging.parent-3.4.0-incubating/ >>> >>> Staging repo: >>> https://repository.apache.org/content/repositories/orgapacheonami-150/ >> Since when do source packages not have to be on dist.apache.org?
We copy to dist after the vote is successful. Our process is very similar to the one Commons uses: http://wiki.apache.org/commons/UsingNexus Our document is: http://onami.incubator.apache.org/committers/release-howto.html > Just to be clear, in the case of Onami Logging, reviewers are asked to > find the right package amongst 8 different source packages in 8 > different directories. What do you mean with "right"? They all are "right", because they contain different sources and we want to release them all. > Initially I thought that the logging-parent.zip would be enough to > verify the release; but the notice files in the various module-specific > source jar files aren't identical to the one in the repository. At that > point I stopped looking. We made different packages for different use cases - not everybody wants to include the log4j2 appender when he is using commons-logging. Of course this strategy can be discussed on our mailinglist, as there are some people who prefer bigger "all inclusive" jars. But for now, we have that fragmentation. That said, reviewers should -imho- look at all artifacts, not only the source artifacts. I look also into the javadoc artifacts. > In other words, the reason you're not getting votes from the IPMC is > that it's well-nigh impossible for an outsider to verify the release > artefacts. Impossible? I have to disagree. One can: wget -r -l 1 -np -nH -nd -nv -e robots=off --wait 10 --no-check-certificate https://repository.apache.org/content/repositories/orgapacheonami-150/ and easily gets all files. One can use Ivans Gist: https://gist.github.com/3504123 or use this: http://www.grobmeier.de/checking-md5-and-signatures-with-a-shell-script-29062011.html to check sigs, hashes etc. We have RAT to help looking at many formal aspects. So there is a lot of helpers which make it possible to review that release. I mean, what are you proposing? That a podling makes releases in a way they can be easily verified by the IPMC? Should we cancel the vote now and prepare one big fat file for easy review? Cheers Christian > > -- Brane > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > -- http://www.grobmeier.de https://www.timeandbill.de --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
