[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [wtp-dev] signed jars in 2.0.2 R build


Just to follow-up on this issue in this mailing list, it was decided in 3/6 status meeting, there was no need to have a new zip on the download site for this issue,
but I have saved a copy of RC3 on archive site, which as same content in zip files as final R build, just different labels (and, not signed).



From: David M Williams/Raleigh/IBM@IBMUS
To: wtp-dev@xxxxxxxxxxx
Date: 03/06/2008 12:06 PM
Subject: [wtp-dev] Status meeting topic: signed jars in 2.0.2 R build






I wanted to give some advance notice of an issue with the 202 build -- to be discussed at this afternoon's status meeting.


Yesterday I discovered a I made a mistake in the final 202 build for our download site. The changes I had been making to sign jars for 3.0 stream "leaked" over into the final 2.0.2 build. See bug
(bug 221450).

While signed jars should not cause any functional difference, there is a risk of subtle performance issues and is a larger change than we'd normally want to make in a maintenance release.


Given the order of events, the jars on update sight are not signed, the jars in the EPP package are not signed (they are pulled from update site) .... only the jars in the final zip for the "R" build got signed.


So ... what to do?  I see the options are:


A. Do nothing. Assume the best  -- that there are no huge problems with signed jars, and installing from update site or EPP Package will dominate and/or provide a work around if issues found.


B. Respin a 202B that is just like 202 but with the signing flag correctly turned off. And simply replace the current 202 R build with this 202B R build.  In this re-build, all the jars will have the exact same version numbers as the 202 build. If we do this one, we should also re-smoke-test that final 202B build just as a sanity check, so it is more work.


I think this is mostly driven by "what do adopters want" -- do adopters rely on our zips, or our update site jars? Do signed jars concern them? So will look forward to suggestions.


While not much notice, I'm hoping this note will lead to a decision at status meeting. If more time is needed, that's fine ... just wanted to make people aware and get the discussion started.


And my apologies for the error.
_______________________________________________
wtp-dev mailing list
wtp-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-dev