Re: [VOTE] Release Apache Commons Lang 3.11 based on RC2

2020-07-13 Thread Rob Tompkins
+1 Validated Java 8 and Java 11 Validated signatures - working on a signature validation shell script (still in progress https://github.com/chtompki/notes/blob/master/commons-release-validation/mover-downloader-and-validator.sh

Re: [all] release validation (was: Re: [VOTE] Release Apache Commons Lang 3.11 based on RC2)

2020-07-13 Thread sebb
On Mon, 13 Jul 2020 at 15:15, Matt Sicker wrote: > > I'm still of the opinion that verifying the GPG signature is logically > sufficient since they include the message digest by nature of how they > work. It is particularly useful because .asc files can be safely > mirrored unlike checksum files w

Re: [all] release validation (was: Re: [VOTE] Release Apache Commons Lang 3.11 based on RC2)

2020-07-13 Thread Matt Sicker
I'm still of the opinion that verifying the GPG signature is logically sufficient since they include the message digest by nature of how they work. It is particularly useful because .asc files can be safely mirrored unlike checksum files which can be maliciously modified. On Sun, 12 Jul 2020 at 16

Re: [all] release validation

2020-07-13 Thread sebb
On Mon, 13 Jul 2020 at 13:53, Rob Tompkins wrote: > > > > > On Jul 13, 2020, at 8:51 AM, Gary Gregory wrote: > > > > On Mon, Jul 13, 2020 at 8:48 AM Rob Tompkins > > wrote: > > > >> > >> > >>> On Jul 13, 2020, at 8:46 AM, Gary Gregory > >> wrote: > >>> > >>> Is there

Re: [all] release validation

2020-07-13 Thread Rob Tompkins
> On Jul 13, 2020, at 8:51 AM, Gary Gregory wrote: > > On Mon, Jul 13, 2020 at 8:48 AM Rob Tompkins > wrote: > >> >> >>> On Jul 13, 2020, at 8:46 AM, Gary Gregory >> wrote: >>> >>> Is there still room for corruption after a vote passes when the files are >>> mov

Re: [all] release validation

2020-07-13 Thread Gary Gregory
On Mon, Jul 13, 2020 at 8:48 AM Rob Tompkins wrote: > > > > On Jul 13, 2020, at 8:46 AM, Gary Gregory > wrote: > > > > Is there still room for corruption after a vote passes when the files are > > moved in SVN from the dev to dist folder? > > Good question….but I would think we would notice that

Re: [all] release validation

2020-07-13 Thread Rob Tompkins
> On Jul 13, 2020, at 8:46 AM, Gary Gregory wrote: > > Is there still room for corruption after a vote passes when the files are > moved in SVN from the dev to dist folder? Good question….but I would think we would notice that after the fact with an alert like the ones that we’ve gotten abou

Re: [all] release validation

2020-07-13 Thread Gary Gregory
Is there still room for corruption after a vote passes when the files are moved in SVN from the dev to dist folder? Gary On Mon, Jul 13, 2020 at 8:29 AM Rob Tompkins wrote: > I’ll take the shell scripts that I’ve been using and enrich them a little, > and then I’ll share them with folks.I think

Re: [all] release validation

2020-07-13 Thread Rob Tompkins
I’ll take the shell scripts that I’ve been using and enrich them a little, and then I’ll share them with folks.I think we can likely put them in one of the plugins so that folks can simply run the script to move and download all the artifacts in their checkout of the svn directory. Cheers, -Rob

Re: [all] release validation

2020-07-13 Thread Rob Tompkins
Yes…I agree with that need. I was wondering if the release plugin was doing that or nexus itself was doing that. But, I definitely understand that they show up in nexus when using the plugin. Cheers, -Rob > On Jul 13, 2020, at 8:10 AM, Gary Gregory wrote: > > Rob, if you plan on working on th

Re: [all] release validation

2020-07-13 Thread Gary Gregory
Rob, if you plan on working on the release plugin, can you see if there is a way to have the VOTE not generate checksum lines for ASC files? IIRC we do not need checksums for ASC files. Speaking for corrupted uploads, does the Maven deploy goal check that its uploads are sane? Gary Gary On Mon,

Re: [all] release validation

2020-07-13 Thread Rob Tompkins
This all makes sense to me. Many thanks for the feedback here. Cheers, -Rob > On Jul 13, 2020, at 5:12 AM, Mark Thomas wrote: > > On 13/07/2020 06:43, Stefan Bodewig wrote: >> On 2020-07-12, Rob Tompkins wrote: >> >>> given the consistency of the signatures from the plugins…do we need to >>> c

Re: [all] release validation

2020-07-13 Thread Gary Gregory
Corrupted uploads I had not considered, good one. Maybe our VOTE template in the release plugin could generate a script users can run to download and verify each checksums. We already generate a list of files and their checksum. Gary On Mon, Jul 13, 2020, 01:43 Stefan Bodewig wrote: > On 2020-

Re: [all] release validation

2020-07-13 Thread Gilles Sadowski
Hi. Le lun. 13 juil. 2020 à 11:12, Mark Thomas a écrit : > > On 13/07/2020 06:43, Stefan Bodewig wrote: > > On 2020-07-12, Rob Tompkins wrote: > > > >> given the consistency of the signatures from the plugins…do we need to > >> check them for releases anymore? > > > > Yes, please. Not everybody u

Re: [all] release validation

2020-07-13 Thread Mark Thomas
On 13/07/2020 06:43, Stefan Bodewig wrote: > On 2020-07-12, Rob Tompkins wrote: > >> given the consistency of the signatures from the plugins…do we need to >> check them for releases anymore? > > Yes, please. Not everybody uses the plugins and even if everybody did a > misconfiguration could be p