include source zip in release process #61
Conversation
|
Hi, Thanks for your efforts! |
|
Apologies for the delayed response -- I dropped the ball with a bunch of GH notifications recently 😞 As far as I'm aware, this PR does not include any work against that CVE. I can have a look at it when I get some time. The original PR I made was to update build so that log4net could be built practically anywhere (well, anywhere with all of the arcane .net framework requirements, which means AppVeyor is doing a good job!) so that the project wouldn't be abandoned. When I picked up that task, there was already outstanding work and a version bump to 2.0.9, so that's the reason there's a version bump there -- it's basically the contributions that have been included since 2.0.8. I'd prefer to open a new PR to look into the item listed above. For a while now, I've been trying to keep the ball rolling on this project -- I've put in quite a bit of time on build and I'd really like to know that that time isn't going to /dev/null. If the above is a show-stopper, I can look at it now, but that's the current state in the wild too, so 2.0.9 can't be worse? |
Thank you for your reply! 2.0.9 will it be released on nuget.org if you get the build right? |
|
Well, this PR is to include the last required artifact (source zip) for the build that I fixed up. It's just waiting on someone to ok it - I'm not sure if I need to kick off the process with an email though. @rgoers I know I've been well annoying with this whole process, but I'd really appreciate some guidance 🙏 |
|
That linked jira ticket mentions commit d0b4b01, which is not in the lineage for this pr - I'll need to hunt it down... |
|
Sorry, I have just been busy with my $day job.
Ralph
… On Jul 23, 2020, at 9:12 AM, Davyd McColl ***@***.***> wrote:
Well, this PR is to include the last required artifact (source zip) for the build that I fixed up. It's just waiting on someone to ok it - I'm not sure if I need to kick off the process with an email though. @rgoers <https://github.com/rgoers> I know I've been well annoying with this whole process, but I'd really appreciate some guidance 🙏
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#61 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA5MX2GSJ2VV75YJHALTQTR5BOPFANCNFSM4OYOAL6A>.
|
|
Looks like that commit is in the develop branch. @rgoers do you think I could merge that into this? Or would develop get changes from master and then make a new PR? Not sure of the accepted workflow. Conversely, the changes in that commit are small enough that I could simply apply on this branch. |
|
@rgoers I totally understand, and don't want to be a PITA 😄 whenever you have time, I'd really appreciate your input. |
|
Don’t worry about it. I will be on vacation next week so will probably spend more time on ASF related stuff.
Ralph
… On Jul 23, 2020, at 9:26 AM, Davyd McColl ***@***.***> wrote:
@rgoers <https://github.com/rgoers> I totally understand, and don't want to be a PITA 😄 whenever you have time, I'd really appreciate your input.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#61 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA5MX2EMCOJCLGNYQ54GOLR5BQFHANCNFSM4OYOAL6A>.
|
|
CVE-fix merge would be great! Thank you! |
|
@jvz thanks, two questions though:
|
|
@fluffynuts In answer to 1) as you know the main problem with the log4net project is that all the active developers on it have left the project. So the accepted workflow is up to whoever replaces them. As for item 2) I believe I have stated at least a couple of times that once you feel it is ready for a release that you should submit a PR with the tag you used for the release and the location of the artifacts to vote on. Then start a vote thread on the logging dev list. |
|
@rgoers I'm happy to follow up on the CVE and the recent email on the mailing list As for (2), I thought that's what this PR was, so am I correct in saying that the only thing I'm missing was not starting a voting thread? You mention tag -- should I tag before starting up a voting thread? I'm sorry if these questions seem dumb -- I sometimes get the feeling that there's a well-established structure in place, and other times that "the accepted workflow is up to whoever", and I definitely don't have the power to just start doing whatever I want, if I want releases to get out there. |
|
Is there a tag included in the PR with the version number? Can those even be added in a PR. If not it is a simple matter to tag the version associated with this I guess. Yes, I sympathize with your predicament as you are in sort of a catch-22 at the moment. Yes, if you feel the release is ready for a vote start a vote thread with a subject of something like "[VOTE] Release Log4Net x.y.z". Please include in the vote thread the links to the artifacts to be reviewed. If you look at https://lists.apache.org/thread.html/r98e0c907521107b8da0de59978781bfbca9e82bfd97a7a87284c5a66%40%3Cdev.logging.apache.org%3E you will see an example of the latest vote thread for Log4j, but note that the only thing that is required is where to find what is to be voted on. For example, Log4j updates its web site with each release. That is not required but obviously the web site will want to describe how to get the latest artifacts. |
Most of the latest commits on develop are from @dpsenner and a few are from @bodewig so maybe they can answer this?
Maybe the file ReleaseInstructions.txt (or the updated ReleaseInstructions.md on the develop branch) helps. |
|
Ok, I'm obviously doing something wrong. I sent a mail to dev@logging.apache.org to try to start a vote on the 2.0.9 release and there has been zero response. The Release instructions.(txt|me) are very much out of date with the current build system that I set up, which is now merged into master, particularly because they refer to nant and a developer's pgp key, neither of which apply now. I'm honestly trying to help to keep this alive, but it feels as if there's no way to do so? @dpsenner @bodewig, if you have a moment, I'd appreciate guidance. It's really starting to look like forking is the only option. I've literally spent months trying to figure out how to get an official release out. I've never had so much resistance to an attempt to contribute to a project before 😢 |
|
Nothing done wrong. We're just all volunteers ourselves, so it sometimes takes time for review. I've gone over the initial vote thread and provided some feedback. |
Adds the
log4net-source-{version}.zipsource archive to build artifacts. This (should) mean that anyone who has set up AppVeyer for their account should have built binaries, nuget package and source tarball on any push, where artifacts will only be made once all binaries are built and all tests pass.Available here: https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
Please let me know if there is something missing / incorrect with the proposed artifacts so I can attend to any problems.