On Fri, 1 May 2026 at 12:34, Gilles Sadowski <[email protected]> wrote: > > Le ven. 1 mai 2026 à 10:22, Alex Herbert <[email protected]> a écrit : > > > > On Thu, 30 Apr 2026 at 18:12, Rob Tompkins <[email protected]> wrote: > > > > > Or send a script that properly downloads all the artifacts from nexus and > > > svn, and computes all the md5 checksums, sha512s, and gpg signatures all > > > the while scanning across the directory structure. I spent over 80 hours > > > on > > > my script so that I have time to validate releases. > > > > > > > I agree that manually validating can be time consuming. However we already > > have software tools available to help. > > > > Regarding the GPG signatures the vote only concerns the 4 release > > artifacts. This is no different than any other commons release regarding > > verifying signatures. I believe your release helper script will validate > > the source and binary distributions as it does for all other commons > > releases. > > > > If you wish to verify the additional Maven artifacts (that are not official > > part of the release) > > Isn't the validation of the artefacts done by the following? > > $ svn co https://dist.apache.org/repos/dist/dev/commons/statistics/1.3-RC1 > $ cd 1.3-RC1 > $ ./signature-validator.sh > https://repository.apache.org/content/repositories/orgapachecommons-1933/org/apache/commons/ > > IIUC, "reproducibility" referred to below is only a check for the > RM (to avoid releasing spurious files).
AFAICT the reproducibility check does not ensure that there are no spurious (or missing) files in the artifact bundles. This is because the source artifact is not created from a fresh checkout of the source. Instead, it is created AFTER building and testing, which can create or delete files. > Gilles > > > then the validating a release section now contains > > this (which does not work without some caveats, see below): > > > > --- > > 4b) Check reproducibility > > > > To check that a build is reproducible, run: > > > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > > https://repository.apache.org/content/repositories/staging/ > > '-Dbuildinfo.ignore=*/*.spdx.json' > > > > Note that this excludes SPDX files from the check. > > --- > > > > Caveats: > > > > 1. The timezone must match. > > 2. The JDK must match the one used for the release build. > > 3. For me, I had to exclude other SPDX files. > > > > This works on a different machine to the one I used for a release: > > > > # Use JDK 11 > > export TZ="Europe/London" > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > > https://repository.apache.org/content/repositories/staging/ > > '-Dbuildinfo.ignore=*/*.spdx.json,*/*.spdx.rdf.xml' > > > > Regards, > > > > Alex > > > > > > > > > > > > -Tompkins > > > > > > > On Apr 30, 2026, at 1:09 PM, Rob Tompkins <[email protected]> wrote: > > > > > > > > There are too many modules. Either make the modules worthy of top level > > > projects or condence them I can not reasonably verify all the signatures > > > of > > > all of the artifacts. > > > > > > > > -Tompkins > > > > > > > >> [...] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
