Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[wtp-dev] Status meeting topic: signed jars in 2.0.2 R build

I wanted to give some advance notice of an issue with the 202 build -- to be discussed at this afternoon's status meeting.

Yesterday I discovered a I made a mistake in the final 202 build for our download site. The changes I had been making to sign jars for 3.0 stream "leaked" over into the final 2.0.2 build. See bug (bug 221450).

While signed jars should not cause any functional difference, there is a risk of subtle performance issues and is a larger change than we'd normally want to make in a maintenance release.

Given the order of events, the jars on update sight are not signed, the jars in the EPP package are not signed (they are pulled from update site) .... only the jars in the final zip for the "R" build got signed.

So ... what to do?  I see the options are:

A. Do nothing. Assume the best  -- that there are no huge problems with signed jars, and installing from update site or EPP Package will dominate and/or provide a work around if issues found.

B. Respin a 202B that is just like 202 but with the signing flag correctly turned off. And simply replace the current 202 R build with this 202B R build.  In this re-build, all the jars will have the exact same version numbers as the 202 build. If we do this one, we should also re-smoke-test that final 202B build just as a sanity check, so it is more work.

I think this is mostly driven by "what do adopters want" -- do adopters rely on our zips, or our update site jars? Do signed jars concern them? So will look forward to suggestions.

While not much notice, I'm hoping this note will lead to a decision at status meeting. If more time is needed, that's fine ... just wanted to make people aware and get the discussion started.

And my apologies for the error.

Back to the top