Le ven. 1 mai 2026 à 10:22, Alex Herbert <[email protected]> a écrit : > > On Thu, 30 Apr 2026 at 18:12, Rob Tompkins <[email protected]> wrote: > > > Or send a script that properly downloads all the artifacts from nexus and > > svn, and computes all the md5 checksums, sha512s, and gpg signatures all > > the while scanning across the directory structure. I spent over 80 hours on > > my script so that I have time to validate releases. > > > > I agree that manually validating can be time consuming. However we already > have software tools available to help. > > Regarding the GPG signatures the vote only concerns the 4 release > artifacts. This is no different than any other commons release regarding > verifying signatures. I believe your release helper script will validate > the source and binary distributions as it does for all other commons > releases. > > If you wish to verify the additional Maven artifacts (that are not official > part of the release)
Isn't the validation of the artefacts done by the following? $ svn co https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1 $ cd 1.3-RC1 $ ./signature-validator.sh https://repository.apache.org/content/repositories/orgapachecommons-1933/org/apache/commons/ IIUC, "reproducibility" referred to below is only a check for the RM (to avoid releasing spurious files). Gilles > then the validating a release section now contains > this (which does not work without some caveats, see below): > > --- > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > --- > > Caveats: > > 1. The timezone must match. > 2. The JDK must match the one used for the release build. > 3. For me, I had to exclude other SPDX files. > > This works on a different machine to the one I used for a release: > > # Use JDK 11 > export TZ="Europe/London" > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json,*/*.spdx.rdf.xml' > > Regards, > > Alex > > > > > > > -Tompkins > > > > > On Apr 30, 2026, at 1:09 PM, Rob Tompkins <[email protected]> wrote: > > > > > > There are too many modules. Either make the modules worthy of top level > > projects or condence them I can not reasonably verify all the signatures of > > all of the artifacts. > > > > > > -Tompkins > > > > > >> [...] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
