commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: Commons release policy
Date Sat, 03 Dec 2016 19:57:31 GMT
The source jar does just include the .java/.scala/etc. files along with
anything in src/main/resources/ (and anything else configured, though this
is the default). I think that a source jar is required for distribution on
maven central. Besides making releases on the /dist/ svn repo, there's
repository.apache.org which can also technically be used to download maven
artifacts besides MC (plus I think bintray/jcenter mirrors everything on
MC).

So basically, at the bare minimum, you need the source tarball/zip on dist
which can be used by users to build usable artifacts from source using the
relevant build tools and publicly available dependencies (which of course
are licensed appropriately). All artifacts are signed along with at least
an md5 hash, but I typically also see shaN hashes along with since md5 is
so old and broken (maybe this policy should be updated?). And then the flow
from repository.apache.org to MC and elsewhere only contains the compiled
jars, source jars, poms, and sometimes accompanying xml artifacts or zips.

On 3 December 2016 at 12:14, Gary Gregory <garydgregory@gmail.com> wrote:

> On Dec 3, 2016 9:34 AM, "Charles Honton" <chas@honton.org> wrote:
> >
> > To follow up the thread on releasing parent 42 and exactly what needs to
> signed, etc.  I’ve researched asf release policy.  Here’s the gist:
> >
> > 1. Every ASF release must contain a source package, which must be
> sufficient for a user to build and test the release provided they have
> access to the appropriate platform and tools. <
> http://www.apache.org/dev/release#what-must-every-release-contain>
> >
> > 2. A release isn't 'released' until the contents are in the project's
> distribution directory, which is a subdirectory of www.apache.org/dist/ <
> http://www.apache.org/dev/release#where-do-releases-go>.
> >
> > 3. Every artifact distributed to the public through Apache channels MUST
> be accompanied by one file containing an OpenPGP compatible ASCII armored
> detached signature and another file containing an MD5 checksum. <
> https://www.apache.org/dev/release-distribution.html#sigs-and-sums>
> >
> > What do we consider the source package for our releases?
> > Are the xxx-sources.jar,  xxx-test-sources.jar, and pom sufficient to
> build and test the release?
>
> Nope. A sources jar is a convenience for IDEs, it usually does not contain
> build scripts and such. I am AFK so I am hoping someone can provide an
> example.
>
> > Is the zip/gz just a convenience and is it still useful/required?
>
> That should contain almost everything that is in the repo except for things
> like old files like proposal.html.
>
> > Or is it the reverse, the zip/gz is the release and the jars are the
> convenience distributions?
>
> Yep. The release are the zip/gz sources. All binaries are conveniences.
> Granted that without a Maven Central jar release, a component is not easy
> to reuse.
>
> Gary
>
> >
> > regards,
> > chas
>



-- 
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message