Re: [VOTE] Release dtest-api 0.0.3
Thanks for bringing these up! > this fixes everything but the signing key used issue https://github.com/apache/cassandra-in-jvm-dtest-api/pull/2 Great, I'll just merge this together with my branch to master to have a ref. Thank you for taking time to resolve these. > * Source artifacts does not compile. They depend on snapshot dependency, see below. I did mention this explicitly in my original email. There's no Cassandra artifact and we can not release it yet because it depends on this repository. To resolve this, I'll remove tests and dependency on cassandra jar for now just to publish. These tests won't do us any good here until Cassandra artifacts are released anyways. > * There's no copyright or NOTICE file in source jar artifact. I'll double-check, but I do not remember this mentioned in the Apache guide I've followed, it's worth adding this information there if it's missing. > * What key has been used to sign? Can you provide more specific details on that? Apache guide I've followed said you have to sign with your own key, which was what I've done. If this is not the case, it'd be great to know which key I should use. I did upload public key to ubuntu keystore for verification to. > * The scm SHA is not mentioned in the vote. True; branch is not merged since Cassandra patch that depends on it is not finalized. But to comply to Apache processes we can just merge the branch. > * There's a ".git" directory in the source jar artifact. Interesting. I've used `mvn release:prepare/perform`, and expected it to take care of it. On Fri, Mar 20, 2020 at 7:39 PM Mick Semb Wever wrote: > > The vote will be open for 72 hours (longer if needed). Everyone who has > > tested the build is invited to vote. Votes by PMC members are considered > > binding. A vote passes if there are at least three binding +1s. > > > > > -1 > > A few things here don't meet the requirements. > > * There's no copyright or NOTICE file in source jar artifact. > * The license is not present in all files (eg AssertUtils.java) > * What key has been used to sign? > * Source artifacts does not compile. They depend on snapshot dependency, > see below. > * There's a ".git" directory in the source jar artifact. > > Additionally, > * `mvn rat:check` does not pass. (relates back to license and .git > directory) > * There's unnecessary duplicate source artifacts. > * The source zip file does not have sha256 or sha512 checksums. > * The contents of the source zip artifact do not match what's in scm. > * The scm SHA is not mentioned in the vote. > * Where's the scm tag for this scm SHA? > * Erroneous `.asc.asc` files. > > > The build failure I get is: > ``` > [ERROR] Failed to execute goal on project dtest-api: Could not resolve > dependencies for project org.apache.cassandra:dtest-api:jar:0.0.4-SNAPSHOT: > Could not find artifact > org.apache.cassandra:in-jvm-dtest-cassandra-tryout:jar:0.0.1-2.2-1 in > central (https://repo.maven.apache.org/maven2) -> [Help 1] > ``` > > The source zip artifact can just be removed (not generated) as there's no > need (afaik) for any artifacts outside of the maven repository. But add > those manually added files into git. This will solve the sha256 and sha512 > problem, and that the build that doesn't match scm contents. > > > I've got a few hours in front of me and will try to send some PRs to fix > what I can here. > > regards, > Mick > -- alex p
Re: [VOTE] Release dtest-api 0.0.3
> > > * There's no copyright or NOTICE file in source jar artifact. > I'll double-check, but I do not remember this mentioned in the Apache guide > I've followed, it's worth adding this information there if it's missing. > These links have a lot of info - http://www.apache.org/legal/release-policy.html - http://www.apache.org/dev/release-publishing.html - http://www.apache.org/dev/release-distribution The Incubator is (overly) strict on releases, so their docs can be helpful too. - https://cwiki.apache.org/confluence/display/INCUBATOR/ReleaseChecklist - http://incubator.apache.org/guides/releasemanagement.html What was the guide you were using? > > * What key has been used to sign? > Can you provide more specific details on that? Apache guide I've followed > said you have to sign with your own key, which was what I've done. If this > is not the case, it'd be great to know which key I should use. I did upload > public key to ubuntu keystore for verification to. > You need to sign with your own key, and the public key needs to be in our KEYS file. ( Also, the gpg key needs to reside, and the release made, on hardware owned and only controlled (exclusively full administrative/superuser access) by you. https://www.apache.org/dev/release-signing.html ) > > * The scm SHA is not mentioned in the vote. > True; branch is not merged since Cassandra patch that depends on it is not > finalized. But to comply to Apache processes we can just merge the branch. > It doesn't matter on what branch the SHA is on, just so long as the SHA that the release was cut from is announced, so the release is reproducible also from scm. A git tag also helps. cheers, Mick
Re: [VOTE] Release dtest-api 0.0.3
I've prepared a new release. Not issuing a vote just yet, wanted to check it first. > You need to sign with your own key, and the public key needs to be in our KEYS file. Ok, so this should be fine then. I need, however, to add my key to the KEYS file, created jira for this: https://issues.apache.org/jira/browse/CASSANDRA-15652 > What was the guide you were using? I've used this release guide: https://infra.apache.org/maven-releases.html Release RSA: https://github.com/apache/cassandra-in-jvm-dtest-api/commit/b4e8724615a931d0b38b59beb08c4c227aa8996e New artifact: https://repository.apache.org/content/repositories/orgapachecassandra-1199/org/apache/cassandra/dtest-api/0.0.1/ I've left sources artifact, but added md5 and sha checksums. Thank you for helping out with this, -- Alex On Sat, Mar 21, 2020 at 10:45 AM Oleksandr Petrov < oleksandr.pet...@gmail.com> wrote: > Thanks for bringing these up! > > > this fixes everything but the signing key used issue > https://github.com/apache/cassandra-in-jvm-dtest-api/pull/2 > Great, I'll just merge this together with my branch to master to have a > ref. Thank you for taking time to resolve these. > > > * Source artifacts does not compile. They depend on snapshot > dependency, see below. > I did mention this explicitly in my original email. There's no Cassandra > artifact and we can not release it yet because it depends on this > repository. To resolve this, I'll remove tests and dependency on > cassandra jar for now just to publish. These tests won't do us any good > here until Cassandra artifacts are released anyways. > > > * There's no copyright or NOTICE file in source jar artifact. > I'll double-check, but I do not remember this mentioned in the Apache > guide I've followed, it's worth adding this information there if it's > missing. > > > * What key has been used to sign? > Can you provide more specific details on that? Apache guide I've followed > said you have to sign with your own key, which was what I've done. If this > is not the case, it'd be great to know which key I should use. I did upload > public key to ubuntu keystore for verification to. > > > * The scm SHA is not mentioned in the vote. > True; branch is not merged since Cassandra patch that depends on it is not > finalized. But to comply to Apache processes we can just merge the branch. > > > * There's a ".git" directory in the source jar artifact. > Interesting. I've used `mvn release:prepare/perform`, and expected it to > take care of it. > > On Fri, Mar 20, 2020 at 7:39 PM Mick Semb Wever wrote: > >> > The vote will be open for 72 hours (longer if needed). Everyone who has >> > tested the build is invited to vote. Votes by PMC members are considered >> > binding. A vote passes if there are at least three binding +1s. >> > >> >> >> -1 >> >> A few things here don't meet the requirements. >> >> * There's no copyright or NOTICE file in source jar artifact. >> * The license is not present in all files (eg AssertUtils.java) >> * What key has been used to sign? >> * Source artifacts does not compile. They depend on snapshot dependency, >> see below. >> * There's a ".git" directory in the source jar artifact. >> >> Additionally, >> * `mvn rat:check` does not pass. (relates back to license and .git >> directory) >> * There's unnecessary duplicate source artifacts. >> * The source zip file does not have sha256 or sha512 checksums. >> * The contents of the source zip artifact do not match what's in scm. >> * The scm SHA is not mentioned in the vote. >> * Where's the scm tag for this scm SHA? >> * Erroneous `.asc.asc` files. >> >> >> The build failure I get is: >> ``` >> [ERROR] Failed to execute goal on project dtest-api: Could not resolve >> dependencies for project >> org.apache.cassandra:dtest-api:jar:0.0.4-SNAPSHOT: >> Could not find artifact >> org.apache.cassandra:in-jvm-dtest-cassandra-tryout:jar:0.0.1-2.2-1 in >> central (https://repo.maven.apache.org/maven2) -> [Help 1] >> ``` >> >> The source zip artifact can just be removed (not generated) as there's no >> need (afaik) for any artifacts outside of the maven repository. But add >> those manually added files into git. This will solve the sha256 and sha512 >> problem, and that the build that doesn't match scm contents. >> >> >> I've got a few hours in front of me and will try to send some PRs to fix >> what I can here. >> >> regards, >> Mick >> > > > -- > alex p > -- alex p
