[Math] Toward releasing 3.0 ?

classic Classic list List threaded Threaded
49 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

sebb-2-2
On 27 February 2012 12:27, Gilles Sadowski <[hidden email]> wrote:

> On Sat, Feb 25, 2012 at 12:25:49PM +0000, sebb wrote:
>> On 25 February 2012 09:59, Gilles Sadowski <[hidden email]> wrote:
>> > Hello.
>> >
>> >> >
>> >> > How do we proceed from here in order to release 3.0? Cf. ticket MATH-746,
>> >> > "Things to do before releasing 3.0".
>> >>
>> >> Sorry for being late on this.
>> >>
>> >> >
>> >> > Can we start to talk about an expected release date?
>> >>
>> >> I guess you did a wonderful job for closing everything. As it is clean
>> >> enough, I think we could even skip the step of using a release branch
>> >> and we could simply tag the release candidates from the trunk. This
>> >> would simply imply refraining from any change which is not related to
>> >> the release for a few days.
>> >>
>> >> Someone has to volunteer to act as the release manager. The task is
>> >> simply to perform the few commands described for example here:
>> >> <http://wiki.apache.org/commons/UsingNexus>. The release manager also
>> >> signs the packages using a gpg key, which should be put in the global
>> >> KEYS file. This file can be retrieved using the following svn command:
>> >>
>> >> svn checkout --depth=immediates \
>> >>   https://[your-commiter-id]@svn.apache.org/repos/asf/commons/trunks-proper
>> >>
>> >> The artifacts for the release candidate must be made available and a
>> >> VOTE thread must be started on the dev list for at least 72 hours (see
>> >> <http://www.apache.org/foundation/voting.html>). There can be several
>> >> release candidate before a version finally goes out (when I release
>> >> version 2.0 I think, we needed 6 candidates ...). When the vote passes,
>> >> the exact artifacts which were used for voting will be published by
>> >> uploading the source and binary zip and tar files and by promoting the
>> >> maven artifacts with Nexus. Not a single bit is changed (this would
>> >> change the gpg signatures). This means that for example the release date
>> >> which appears in the release notes must be estimated before the vote
>> >> taking the voting delay into account (plus one or two days as a safety
>> >> margin) and it must be updated as each release candidate is cut.
>> >>
>> >> So there is no predefined release date until the vote finally passes.
>> >>
>> >> At the pace at which you go now, I would say we could target a first
>> >> release candidate early next week.
>> >>
>> >> Any volunteer as release manager ?
>> >
>> > OK, I started to try the commands listed in the "UsingNexus" file. Not
>> > everything works directly... [maven2 could not find a plugin, which led me
>>
>> Which plugin?
>
> I couldn't tell you now because installing maven3 implied desinstalling
> maven2.

I've got both installed (Win XP) with no issues; I just change the
PATH as needed to switch between them.

>>
>> > to upgrade to maven3, which printed a warning about "parent" being a broken
>> > project, etc.]
>
> This is the warning from maven3:
> ---CUT---
> [WARNING]
> [WARNING] Some problems were encountered while building the effective model for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT
> [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-idea-plugin is missing. @org.apache.commons:commons-parent:20, /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, line 316, column 15
> [WARNING]
> [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
> [WARNING]
> [WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
> [WARNING]
> ---CUT---

Can ignore that - IDEA is used for reports only (if then).

>> >
>> > I don't know maven (apart from the basics to build CM) so, it is not always
>> > obvious which are the mandatory steps and what result must be observed in
>> > order to check that everything went fine...
>> >
>> > For the encryption key: I was always advised against writing a passphrase in
>> > clear in a file; maven seems to support asking for the passphrase but when
>> > it prints:
>> > ---CUT---
>> > Enter passphrase: gpg: gpg-agent is not available in this session
>> > ---CUT---
>> > When I enter the passphrase, it just prints that same message again...
>>
>> Works for me using Maven 2.2.1 and 3.0.4
>
> Maven version is also 3.0.4 here.
>
>>
>> Which version of gpg have you installed locally?
>
> ---CUT---
> $ gpg --version
> gpg (GnuPG) 1.4.11
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: ~/.gnupg
> Supported algorithms:
> Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
> Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
>        CAMELLIA192, CAMELLIA256
> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
> ---CUT---
>
>>
>> To test it out, just use
>>
>> mvn gpg:sign
>>
>> It will fail later as it needs package first.
>
> This seems to work (if this is where you expected it to fail); it produces:
> ---CUT---
> [INFO] Scanning for projects...
> [WARNING]
> [WARNING] Some problems were encountered while building the effective model for org.apache.commons:commons-math3:jar:3.0-SNAPSHOT
> [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-idea-plugin is missing. @org.apache.commons:commons-parent:20, /home/eran/.m2/repository/org/apache/commons/commons-parent/20/commons-parent-20.pom, line 316, column 15
> [WARNING]
> [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
> [WARNING]
> [WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
> [WARNING]
> [INFO]
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Commons Math 3.0-SNAPSHOT
> [INFO] ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-gpg-plugin:1.1:sign (default-cli) @ commons-math3 ---
> GPG Passphrase: *******************************

Good, so it does prompt.

> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 11.345s
> [INFO] Finished at: Mon Feb 27 13:05:15 CET 2012
> [INFO] Final Memory: 9M/105M
> [INFO] ------------------------------------------------------------------------
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default-cli) on project
> commons-math3: The project artifact has not been assembled yet. Please do
> not invoke this goal before the lifecycle phase "package". -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, please read the following articles:
> [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
> ---CUT---
>
> However, when I run
>
>  $ mvn clean deploy -Papache-release -Ptest-deploy

Try using

mvn clean package deploy -Prelease -Ptest-deploy

instead.

> I get:
>
> ---CUT---
> [INFO] Parent project loaded from repository.
> [INFO]
> [INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 ---
>
> You need a passphrase to unlock the secret key for
> user: "Gilles Sadowski (ASF code signing) <[hidden email]>"
> 1024-bit DSA key, ID 51D05641, created 2003-09-28
>
> Enter passphrase: gpg: gpg-agent is not available in this session
>
> You need a passphrase to unlock the secret key for
> user: "Gilles Sadowski (ASF code signing) <[hidden email]>"
> 1024-bit DSA key, ID 51D05641, created 2003-09-28
>
> Enter passphrase: gpg: Invalid passphrase; please try again ...
>
> You need a passphrase to unlock the secret key for
> user: "Gilles Sadowski (ASF code signing) <[hidden email]>"
> 1024-bit DSA key, ID 51D05641, created 2003-09-28
>
> Enter passphrase: gpg: gpg-agent is not available in this session
> [... and so on ...]
> ---CUT---
>
>
>> > [I guess I'll create a dummy key and store the passphrase in "settings.xml"
>> > just for this to work...]
>>
>> You can use encrypted passwords:
>>
>> http://maven.apache.org/guides/mini/guide-encryption.html
>
> I had read it, but didn't think it would work for the
>  <gpg.passphrase></gpg.passphrase>
> tag.
>
> Anyway, I encrypted the pass phrase using
>
>  $ mvn --encrypt-password "my pass phrase"
>
> put the result in the above tag, and got:
> ---CUT---
> INFO] --- maven-gpg-plugin:1.1:sign (default) @ commons-math3 ---
> gpg: skipped "Gilles Sadowski (ASF code signing) <[hidden email]>": bad passphrase
> gpg: signing failed: bad passphrase

Some encrypted passphrases can contain invalid characters; check that
{} only appear at the ends.

[Very poor design of the Maven decrypt routine - it should only check
for {} at the ends of the value and so avoid the hassle of escaping
chars]

> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 2:20.088s
> [INFO] Finished at: Mon Feb 27 13:15:10 CET 2012
> [INFO] Final Memory: 36M/370M
> [INFO] ------------------------------------------------------------------------
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default) on project commons-math3: Exit code: 2 -> [Help 1]
> ---CUT---
>
>>
>> Better than plain text, but still not ideal if your host is not
>> physically secure.
>
> It would have been good enough if it worked.
> I must be missing some additional configuration...

Does the encryption setup work for logins, e.g. can you deploy snapshots?

>>
>> Can also store the master key on a removable USB stick.
>
> I'm not that paranoid ;-). It is encrypted, and stored in
> "settings-security.xml", only readable by me. And it serves only to run
> maven.
> It's just that storing the pass phrase of a general-purpose encrypting key,
> in clear text does not seem right.

Agree.

>
> Thanks for any enlightenment as to what could cause this problem,
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

Gilles Sadowski
> > I couldn't tell you now because installing maven3 implied desinstalling
> > maven2.
>
> I've got both installed (Win XP) with no issues; I just change the
> PATH as needed to switch between them.

It's Debian GNU/Linux here.

> > [...]

> > [INFO] ------------------------------------------------------------------------
> > [INFO] Building Commons Math 3.0-SNAPSHOT
> > [INFO] ------------------------------------------------------------------------
> > [INFO]
> > [INFO] --- maven-gpg-plugin:1.1:sign (default-cli) @ commons-math3 ---
> > GPG Passphrase: *******************************
>
> Good, so it does prompt.
>
> > [INFO] ------------------------------------------------------------------------
> > [INFO] BUILD FAILURE
> > [INFO] ------------------------------------------------------------------------
> > [INFO] Total time: 11.345s
> > [INFO] Finished at: Mon Feb 27 13:05:15 CET 2012
> > [INFO] Final Memory: 9M/105M
> > [INFO] ------------------------------------------------------------------------
> > [ERROR] Failed to execute goal
> > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default-cli) on project
> > commons-math3: The project artifact has not been assembled yet. Please do
> > not invoke this goal before the lifecycle phase "package". -> [Help 1]
> > [ERROR]
> > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> > switch.
> > [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> > [ERROR]
> > [ERROR] For more information about the errors and possible solutions, please read the following articles:
> > [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
> > ---CUT---
> >
> > However, when I run
> >
> >  $ mvn clean deploy -Papache-release -Ptest-deploy
>
> Try using
>
> mvn clean package deploy -Prelease -Ptest-deploy
>
> instead.

Same error (bad passphrase).

> [...]
> Some encrypted passphrases can contain invalid characters; check that
> {} only appear at the ends.

There are no "{" or "}" inside the encrypted passphrase.

> [Very poor design of the Maven decrypt routine - it should only check
> for {} at the ends of the value and so avoid the hassle of escaping
> chars]
>
> > [INFO] ------------------------------------------------------------------------
> > [INFO] BUILD FAILURE
> > [INFO] ------------------------------------------------------------------------
> > [INFO] Total time: 2:20.088s
> > [INFO] Finished at: Mon Feb 27 13:15:10 CET 2012
> > [INFO] Final Memory: 36M/370M
> > [INFO] ------------------------------------------------------------------------
> > [ERROR] Failed to execute goal
> > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default) on project commons-math3: Exit code: 2 -> [Help 1]
> > ---CUT---
> >
> >>
> >> Better than plain text, but still not ideal if your host is not
> >> physically secure.
> >
> > It would have been good enough if it worked.
> > I must be missing some additional configuration...
>
> Does the encryption setup work for logins, e.g. can you deploy snapshots?

When there is no GPG step, it seems to work; here is a listing of the
created files:

$ ls -1 target/deploy/org/apache/commons/commons-math3/3.0-SNAPSHOT/
commons-math3-3.0-20120227.204940-1.jar
commons-math3-3.0-20120227.204940-1.jar.md5
commons-math3-3.0-20120227.204940-1.jar.sha1
commons-math3-3.0-20120227.204940-1.pom
commons-math3-3.0-20120227.204940-1.pom.md5
commons-math3-3.0-20120227.204940-1.pom.sha1
commons-math3-3.0-20120227.204940-1-site.xml
commons-math3-3.0-20120227.204940-1-site.xml.md5
commons-math3-3.0-20120227.204940-1-site.xml.sha1
maven-metadata.xml
maven-metadata.xml.md5
maven-metadata.xml.sha1


I only tried "test-deploy"; can I just try "deploy" as is, and see what is
going to happen? I was wary of messing with Nexus until it could at least
work flawlessly with "test-deploy"...

I think that this, indeed, did not test the use of the encrypted password
for login.

> > [...]


Gilles

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

sebb-2-2
On 27 February 2012 21:22, Gilles Sadowski <[hidden email]> wrote:

>> > I couldn't tell you now because installing maven3 implied desinstalling
>> > maven2.
>>
>> I've got both installed (Win XP) with no issues; I just change the
>> PATH as needed to switch between them.
>
> It's Debian GNU/Linux here.
>
>> > [...]
>
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO] Building Commons Math 3.0-SNAPSHOT
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO]
>> > [INFO] --- maven-gpg-plugin:1.1:sign (default-cli) @ commons-math3 ---
>> > GPG Passphrase: *******************************
>>
>> Good, so it does prompt.
>>
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO] BUILD FAILURE
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO] Total time: 11.345s
>> > [INFO] Finished at: Mon Feb 27 13:05:15 CET 2012
>> > [INFO] Final Memory: 9M/105M
>> > [INFO] ------------------------------------------------------------------------
>> > [ERROR] Failed to execute goal
>> > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default-cli) on project
>> > commons-math3: The project artifact has not been assembled yet. Please do
>> > not invoke this goal before the lifecycle phase "package". -> [Help 1]
>> > [ERROR]
>> > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
>> > switch.
>> > [ERROR] Re-run Maven using the -X switch to enable full debug logging.
>> > [ERROR]
>> > [ERROR] For more information about the errors and possible solutions, please read the following articles:
>> > [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
>> > ---CUT---
>> >
>> > However, when I run
>> >
>> >  $ mvn clean deploy -Papache-release -Ptest-deploy
>>
>> Try using
>>
>> mvn clean package deploy -Prelease -Ptest-deploy
>>
>> instead.
>
> Same error (bad passphrase).
>
>> [...]
>> Some encrypted passphrases can contain invalid characters; check that
>> {} only appear at the ends.
>
> There are no "{" or "}" inside the encrypted passphrase.
>
>> [Very poor design of the Maven decrypt routine - it should only check
>> for {} at the ends of the value and so avoid the hassle of escaping
>> chars]
>>
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO] BUILD FAILURE
>> > [INFO] ------------------------------------------------------------------------
>> > [INFO] Total time: 2:20.088s
>> > [INFO] Finished at: Mon Feb 27 13:15:10 CET 2012
>> > [INFO] Final Memory: 36M/370M
>> > [INFO] ------------------------------------------------------------------------
>> > [ERROR] Failed to execute goal
>> > org.apache.maven.plugins:maven-gpg-plugin:1.1:sign (default) on project commons-math3: Exit code: 2 -> [Help 1]
>> > ---CUT---
>> >
>> >>
>> >> Better than plain text, but still not ideal if your host is not
>> >> physically secure.
>> >
>> > It would have been good enough if it worked.
>> > I must be missing some additional configuration...
>>
>> Does the encryption setup work for logins, e.g. can you deploy snapshots?
>
> When there is no GPG step, it seems to work; here is a listing of the
> created files:
>
> $ ls -1 target/deploy/org/apache/commons/commons-math3/3.0-SNAPSHOT/
> commons-math3-3.0-20120227.204940-1.jar
> commons-math3-3.0-20120227.204940-1.jar.md5
> commons-math3-3.0-20120227.204940-1.jar.sha1
> commons-math3-3.0-20120227.204940-1.pom
> commons-math3-3.0-20120227.204940-1.pom.md5
> commons-math3-3.0-20120227.204940-1.pom.sha1
> commons-math3-3.0-20120227.204940-1-site.xml
> commons-math3-3.0-20120227.204940-1-site.xml.md5
> commons-math3-3.0-20120227.204940-1-site.xml.sha1
> maven-metadata.xml
> maven-metadata.xml.md5
> maven-metadata.xml.sha1
>
>
> I only tried "test-deploy"; can I just try "deploy" as is, and see what is
> going to happen?

AFAIK, there is no point - the gpg stage happens before deploy;
changing the deploy target won't change anything to do with gpg.

> I was wary of messing with Nexus until it could at least
> work flawlessly with "test-deploy"...

Nexus is the safety net; it's not possible to accidentally deploy when
using Nexus, as the release upload has to be closed and then released
before it gets sent further.

> I think that this, indeed, did not test the use of the encrypted password
> for login.

To test the login encryption, I suggest you try deploying a snapshot
release instead (e.g. install from trunk, which should remain a
snapshot).

>> > [...]
>
>
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

Gilles Sadowski
> [...]
>
> > I think that this, indeed, did not test the use of the encrypted password
> > for login.
>
> To test the login encryption, I suggest you try deploying a snapshot
> release instead (e.g. install from trunk, which should remain a
> snapshot).

This command

 $ mvn clean deploy -Prelease -Dgpg.skip

worked. A.o. it uploaded this file:
  https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-math3/3.0-SNAPSHOT/commons-math3-3.0-20120228.1019


Gilles

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

sebb-2-2
On 28 February 2012 10:36, Gilles Sadowski <[hidden email]> wrote:

>> [...]
>>
>> > I think that this, indeed, did not test the use of the encrypted password
>> > for login.
>>
>> To test the login encryption, I suggest you try deploying a snapshot
>> release instead (e.g. install from trunk, which should remain a
>> snapshot).
>
> This command
>
>  $ mvn clean deploy -Prelease -Dgpg.skip
>
> worked. A.o. it uploaded this file:
>  https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-math3/3.0-SNAPSHOT/commons-math3-3.0-20120228.1019

OK, so the login password encryption is working.

AIUI one should not use -Prelease with snapshots as they are not releases.
The release profile is intended for staging of release artifacts, and
as such includes signing.

The next stage is to get the signing key working.

I suggest you revert temporarily to a plain text password, and check
you can sign locally, e.g.

mvn package gpg:sign -DskipTests

Then try encrypting the password again.

>
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

Gilles Sadowski
> >> [...]
> >>
> >> > I think that this, indeed, did not test the use of the encrypted password
> >> > for login.
> >>
> >> To test the login encryption, I suggest you try deploying a snapshot
> >> release instead (e.g. install from trunk, which should remain a
> >> snapshot).
> >
> > This command
> >
> >  $ mvn clean deploy -Prelease -Dgpg.skip
> >
> > worked. A.o. it uploaded this file:
> >  https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-math3/3.0-SNAPSHOT/commons-math3-3.0-20120228.1019
>
> OK, so the login password encryption is working.
>
> AIUI one should not use -Prelease with snapshots as they are not releases.
> The release profile is intended for staging of release artifacts, and
> as such includes signing.

I took the command from this document:
  http://wiki.apache.org/commons/UsingNexus

>
> The next stage is to get the signing key working.
>
> I suggest you revert temporarily to a plain text password, and check
> you can sign locally, e.g.
>
> mvn package gpg:sign -DskipTests
>
> Then try encrypting the password again.

With
  <gpg.passphrase>Pass phrase in clear text</gpg.passphrase>
it works; whereas with
  <gpg.passphrase>{dwQBDCzUlr8Hb4JOieNAAhzWzTT0Gnmy5yOayp6W4CpbnGsVQrii/bcwDRjwYx9U}</gpg.passphrase>
it doesn't.


Gilles

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

sebb-2-2
On 29 February 2012 00:09, Gilles Sadowski <[hidden email]> wrote:

>> >> [...]
>> >>
>> >> > I think that this, indeed, did not test the use of the encrypted password
>> >> > for login.
>> >>
>> >> To test the login encryption, I suggest you try deploying a snapshot
>> >> release instead (e.g. install from trunk, which should remain a
>> >> snapshot).
>> >
>> > This command
>> >
>> >  $ mvn clean deploy -Prelease -Dgpg.skip
>> >
>> > worked. A.o. it uploaded this file:
>> >  https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-math3/3.0-SNAPSHOT/commons-math3-3.0-20120228.1019
>>
>> OK, so the login password encryption is working.
>>
>> AIUI one should not use -Prelease with snapshots as they are not releases.
>> The release profile is intended for staging of release artifacts, and
>> as such includes signing.
>
> I took the command from this document:
>  http://wiki.apache.org/commons/UsingNexus
>
>>
>> The next stage is to get the signing key working.
>>
>> I suggest you revert temporarily to a plain text password, and check
>> you can sign locally, e.g.
>>
>> mvn package gpg:sign -DskipTests
>>
>> Then try encrypting the password again.
>
> With
>  <gpg.passphrase>Pass phrase in clear text</gpg.passphrase>
> it works; whereas with
>  <gpg.passphrase>{dwQBDCzUlr8Hb4JOieNAAhzWzTT0Gnmy5yOayp6W4CpbnGsVQrii/bcwDRjwYx9U}</gpg.passphrase>
> it doesn't.
>

Just re-checked, and it seems that Maven only supports password
encryption for *server* passwords.

Sorry, thought Maven supported encryption elsewhere in settings.xml too.

> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

Gilles Sadowski
> > [...]
> >
> > With
> >  <gpg.passphrase>Pass phrase in clear text</gpg.passphrase>
> > it works; whereas with
> >  <gpg.passphrase>{dwQBDCzUlr8Hb4JOieNAAhzWzTT0Gnmy5yOayp6W4CpbnGsVQrii/bcwDRjwYx9U}</gpg.passphrase>
> > it doesn't.
> >
>
> Just re-checked, and it seems that Maven only supports password
> encryption for *server* passwords.
>
> Sorry, thought Maven supported encryption elsewhere in settings.xml too.

Hence, it would be clearer to remove the line
  <gpg.passphrase></gpg.passphrase>
in the example snippet of "settings.xml" (in the "UsingNexus" page) and
explicitly say that the signing must preferrably be done in interactive mode
(where one will type the passphrase when maven prompts for it).

There is another confusion that arises when that same snippet refers to
  <id>apache-release</id>
whereas the commands refer to "-Prelease".


Regards,
Gilles

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Math] Toward releasing 3.0 ?

sebb-2-2
On 29 February 2012 18:35, Gilles Sadowski <[hidden email]> wrote:

>> > [...]
>> >
>> > With
>> >  <gpg.passphrase>Pass phrase in clear text</gpg.passphrase>
>> > it works; whereas with
>> >  <gpg.passphrase>{dwQBDCzUlr8Hb4JOieNAAhzWzTT0Gnmy5yOayp6W4CpbnGsVQrii/bcwDRjwYx9U}</gpg.passphrase>
>> > it doesn't.
>> >
>>
>> Just re-checked, and it seems that Maven only supports password
>> encryption for *server* passwords.
>>
>> Sorry, thought Maven supported encryption elsewhere in settings.xml too.
>
> Hence, it would be clearer to remove the line
>  <gpg.passphrase></gpg.passphrase>
> in the example snippet of "settings.xml" (in the "UsingNexus" page) and
> explicitly say that the signing must preferrably be done in interactive mode
> (where one will type the passphrase when maven prompts for it).
>
> There is another confusion that arises when that same snippet refers to
>  <id>apache-release</id>
> whereas the commands refer to "-Prelease".
>

DOne

> Regards,
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

123