users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Do milestone 1 release?

From: Werner Keil <werner.keil_at_gmail.com>
Date: Thu, 19 May 2016 16:22:56 +0200

Having these kinds of repos we could also automatically push the snapshots
to JFrog from a CI server.
Either TravisCI or CircleCI (just got ~18 Mio. $ VC funding, so they
hopefully won't go away that soon;-) look good for that.

Werner


On Thu, May 19, 2016 at 4:20 PM, Werner Keil <werner.keil_at_gmail.com> wrote:

> Anybody is welcome in the Bintray community. Being there allows you to
> publish to bintray.com and JCenter. Maybe fewer (because you need to sign
> the artifacts etc.) could then also sync important builds to MavenCentral,
> but it may even be a first important step to have SNAPSHOTs on
> https://oss.jfrog.org/artifactory/oss-snapshot-local/javax/ ("security"
> not there yet)
>
> Werner
>
>
> On Thu, May 19, 2016 at 4:16 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> On Thu, May 19, 2016 at 4:14 PM, Werner Keil <werner.keil_at_gmail.com>
>> wrote:
>>
>>> Btw, I noticed when referring to the JSR 375 Twitter accont, it's not
>>> overly busy nor does it have many followers. Who maintains it or created it?
>>>
>>
>> It's not me, wasn't it Rudy?
>>
>>
>>
>>>
>>>
>>> On Thu, May 19, 2016 at 4:11 PM, Werner Keil <werner.keil_at_gmail.com>
>>> wrote:
>>>
>>>> You may need to proof and point to being an EG member, either to
>>>> jcp.org (the "source of truth" on that) or if they want the GitHub
>>>> organization. That should be enough. Even in JSRs with a "less busy" Spec
>>>> Lead than most of the EE ones right now, it is perfectly fine to have other
>>>> committers and EG members help with that.
>>>>
>>>> Regards,
>>>> Werner
>>>>
>>>>
>>>> On Thu, May 19, 2016 at 4:08 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> On Thu, May 19, 2016 at 3:53 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Bintray not only hosts a large Maven repo (Jcenter) it can (there you
>>>>>> need another account, but should not need to be Spec Lead only, members of
>>>>>> the EG usually qualify) sync with MavenCentral.
>>>>>>
>>>>>
>>>>> I wonder, does it accept artifacts for the javax.* group IDs? Would
>>>>> you not somehow need to prove you are indeed associated with javax.* and
>>>>> have the authorization to publish?
>>>>>
>>>>> Without that I guess everyone would be able to claim say javax.foo,
>>>>> and sync that to Maven central, blocking or severely confusing the
>>>>> integrity of that (parent) group ID?
>>>>>
>>>>> Kind regards,
>>>>> Arjan Tijms
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Doing that with JSR 363 on a regular basis and other JSRs like 354
>>>>>> though it's mostly done by Anatole (because he set up automatic signing for
>>>>>> MavenCentral)
>>>>>>
>>>>>> BinTray/JCenter require all projects to have source-jars, if
>>>>>> synchronized with MavenCentral one should also sign the JARs and everything
>>>>>> else as .asc.
>>>>>>
>>>>>> Beside that Bintray also hosts all sorts of other artifacts, Vagrant
>>>>>> or Docker containers just to name a few, might come handy to some JSRs e.g.
>>>>>> for ready to use demos or distributions of Soteria on preferred app
>>>>>> servers;-D
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Werner
>>>>>>
>>>>>>
>>>>>> On Thu, May 19, 2016 at 2:45 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Soteria and JSR 375 has been in development for quite some time at
>>>>>>> 1.0-m01-SNAPSHOT.
>>>>>>>
>>>>>>> Although we didn't set specific goals for each milestone, it may be
>>>>>>> a good idea to release what we have now as 1.0-m01 and set the next version
>>>>>>> to 1.0-m02-SNAPSHOT.
>>>>>>>
>>>>>>> While updating the pom files is mostly trivial, it would make sense
>>>>>>> to actually have version 1.0-m01 available in Maven central. This will make
>>>>>>> it much easier for people to experiment with this milestone and provide us
>>>>>>> with feedback.
>>>>>>>
>>>>>>> For this deployment we need someone from Oracle, as they own the
>>>>>>> group IDs that we use.
>>>>>>>
>>>>>>> So:
>>>>>>>
>>>>>>> 1. What does everyone think about releasing a 1.0-m01?
>>>>>>> 2. Alex, or Will, can either of you do the deployment to Maven
>>>>>>> central?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arjan Tijms
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>