Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations

From: Bill Shannon <bill.shannon@xxxxxxxxxx>
Date: Mon, 26 Aug 2019 15:08:46 -0700
Delivered-to: jakarta.ee-spec.committee@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakarta.ee-spec.committee>
List-help: <mailto:jakarta.ee-spec.committee-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakarta.ee-spec.committee>, <mailto:jakarta.ee-spec.committee-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakarta.ee-spec.committee>, <mailto:jakarta.ee-spec.committee-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0

Thanks, David, that explanation was helpful.

It seems that we have a number of competing requirements.  The most basic
requirement is that we ship exactly what we review and approve.  There
doesn't seem to be an easy way to enforce this, so the question is how
much effort we need to go to to ensure that mistakes are not made.

Ideally, during the review period, there would be exactly one staging
repository for each API, which would not change, and after approval that
staging repository would be released to Maven Central.  If that were the
case, it wouldn't matter whether we reviewed the "view" URL or the
"numbered" URL.

One known issue that makes the above difficult is the expiration of
staging repositories.  30 days is enough for any one API, but it's not
really long enough for the collection of all APIs going into Jakarta EE.
Again, ideally, this would be increased to 60 days.  Lacking that, we might
need the "backup and restore" tools for the staging repositories.

I think we agreed that having things like GlassFish or the Jakarta EE API
project explicitly list every "numbered" staging repository is unworkable.
So it seems like we need to make the "view" URL work for us.  This is the
primary reason I thought we should include the "view" URL in the PR - it
has to work, and this is a way for us to check that it's referring to the
right content.

The primary reason for including the "numbered" URL seems to be that it's
a fixed reference to the artifacts that can not change, and that if we
always operate on that numbered repository we can ensure that we get what
we want.  But I don't see that there's any way to ensure that the "view"
URL will only find artifacts in that numbered repository, unless we assume
or ensure that there is only one such repository for each API.

Maybe we should create an audit tool that can check that there is only
one staging repository for each API, and that the artifacts visible
through the "view" URL are the same artifacts that are in that one "numbered"
staging repository?

So, again, how much effort is this worth?

I don't see any simple operational steps that will ensure we get exactly
what we want.  We either need to make some assumptions or create some tools.


David Blevins wrote on 8/24/19 2:15 PM:
> The most important thing for us to know -- and I've tried and failed to explain this before -- is that this repository is basically like a database view:
> 
>  - https://oss.sonatype.org/content/repositories/staging/
> 
> Nexus has the ability to sew together multiple physical repositories as one logical view.  When those physical repositories are not located in that exact Nexus install, Nexus will act like a caching proxy.  It's possible to create a view that basically consists of all actual staging repositories, plus a cache of external repositories like Maven Central.
> 
> So for example, this is the actual physical staging repository for our deployment 1.7.2 binaries up for vote:
> 
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1002/
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1002/jakarta/enterprise/deploy/jakarta.enterprise.deploy-api/1.7.2/
> 
> An actual staging repository (not a view) cannot be modified once closed.  So there's nothing we can do to keep it fresh or trick it into staying around.  Once the above `jakartaenterprisedeploy-1002` staging repository is deleted, we'll see it's contents are no longer available in the "view" here:
> 
>  - https://oss.sonatype.org/content/repositories/staging/jakarta/enterprise/deploy/jakarta.enterprise.deploy-api/1.7.2/
> 
> Now as I mentioned the view also will allow you to "see" things in Maven Central.  When we do releases, we enable `https://oss.sonatype.org/content/repositories/staging/` as a repository in our builds and our Maven Central dependencies end up flowing through the view and being cached.  For example here's a chunk of the log output from the JAXR release James did 3 days ago:
> 
> ----
> Downloaded from sonatype-nexus-staging: https://oss.sonatype.org/content/repositories/staging/com/headius/options/1.4/options-1.4.jar (14 kB at 6.7 kB/s)
> Downloading from sonatype-nexus-staging: https://oss.sonatype.org/content/repositories/staging/com/martiansoftware/nailgun-server/0.9.1/nailgun-server-0.9.1.jar
> Downloading from sonatype-nexus-staging: https://oss.sonatype.org/content/repositories/staging/com/jcraft/jzlib/1.1.3/jzlib-1.1.3.jar
> ----
> 
> Each one of these is now sitting cached in Sonatype's staging view:
> 
>  - https://oss.sonatype.org/content/repositories/staging/com/headius/options/1.4/
>  - https://oss.sonatype.org/content/repositories/staging/com/martiansoftware/nailgun-server/0.9.1/
>  - https://oss.sonatype.org/content/repositories/staging/com/jcraft/jzlib/1.1.3/
> 
> Where I tried to explain this was when I recommended we use the actual physical staging repo names in our PRs because these are the repos we must take action on when a release completes.  For deployment there are actually several physical staged repos.  I found them via URL hacking:
> 
> ----
> 1000	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1000/
> 1001	200	Jul 25, 2019	https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1001/
> 1002	200	Jul 25, 2019	https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1002/
> 1003	200	Jul 27, 2019	https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1003/
> 1004	200	Jul 27, 2019	https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1004/
> 1005	200	Aug 02, 2019	https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1005/
> 1006	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1006/
> 1007	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1007/
> 1008	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1008/
> 1009	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1009/
> 1010	404		https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1010/
> ----
> 
> The 1.7.2 binaries are in 1002 and 1.7.3 is in 1005.
> 
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1002/jakarta/enterprise/deploy/jakarta.enterprise.deploy-api/1.7.2/
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1005/jakarta/enterprise/deploy/jakarta.enterprise.deploy-api/1.7.3/
> 
> Both of these will be gone by the time their vote is schedule to complete.  Any builds that pulled them in via the local staging view will begin to fail.  There are some garbage repos we should just drop:
> 
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1001/jakarta/enterprise/deploy/deployment-spec/1.7/
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1003/jakarta/enterprise/deploy/deployment-spec/1.0/
>  - https://oss.sonatype.org/content/repositories/jakartaenterprisedeploy-1004/jakarta/enterprise/deploy/jakarta.enterprise.deploy-api/1.0.9/
> 
> Here's Bill's mail release (again found via url hacking).  Once the vote concludes on the 28th, he'll have about 3 days to publish the jakartamail-1011 repo which should be enough.
> 
> ----
> 1010	404		https://oss.sonatype.org/content/repositories/jakartamail-1010/
> 1011	200	Aug 01, 2019	https://oss.sonatype.org/content/repositories/jakartamail-1011/
> 1012	404		https://oss.sonatype.org/content/repositories/jakartamail-1012/
> 1013	404		https://oss.sonatype.org/content/repositories/jakartamail-1013/
> ----
> 
> Here's the transaction release.  This vote completes Sept 2, so we're going to potentially lose this binary right at the finish line.
> 
> ----
> 1021	404		https://oss.sonatype.org/content/repositories/jakartatransaction-1021/
> 1022	200	Aug 02, 2019	https://oss.sonatype.org/content/repositories/jakartatransaction-1022/
> 1023	404		https://oss.sonatype.org/content/repositories/jakartatransaction-1023/
> ----
> 
> Here's the xmlrpc release.  This vote also completes on Sept 2 and we risk losing this one at the finish line as well.
> 
> ----
> 1003	404		https://oss.sonatype.org/content/repositories/jakartaxmlrpc-1003/
> 1004	200	Aug 02, 2019	https://oss.sonatype.org/content/repositories/jakartaxmlrpc-1004/
> 1005	404		https://oss.sonatype.org/content/repositories/jakartaxmlrpc-1005/
> ----
> 
> Here are the JSP and JSTL repos, which are 1017 and 1019 respectively.  The JSP vote concludes Sept 2, so we might possibly make this one if we're extremely fast.  JSTL concludes Sept 9, so we have plenty of time to act before that one would be gone.
> 
> ----
> 1016	404		https://oss.sonatype.org/content/repositories/jakartaservletjsp-1016/
> 1017	200	Aug 03, 2019	https://oss.sonatype.org/content/repositories/jakartaservletjsp-1017/
> 1018	404		https://oss.sonatype.org/content/repositories/jakartaservletjsp-1018/
> 1019	200	Aug 19, 2019	https://oss.sonatype.org/content/repositories/jakartaservletjsp-1019/
> 1020	404		https://oss.sonatype.org/content/repositories/jakartaservletjsp-1020/
> ----
> 
> Ultimately, this is why I was very against people using `https://oss.sonatype.org/content/repositories/staging/` urls in their PRs.  Because it's too many levels removed from reality, perpetuates confusion and creates too many opportunities for the wrong thing to happen.
> 
> We haven't seen it this release, but there could actually be several physical staging repos containing the same version of an API.  Basically every attempt sticks around till it is either dropped or expires.  Were this to happen we would still see only one copy in the logical view.  The gotcha would be that as each expires and is deleted the one that wins will change.  So the logical URL of `https://oss.sonatype.org/content/repositories/staging/jakarta/wombat/2.0/`, which is effectively a symbolic link, might map to `jakartawombat-1003/jakarta/wombat/2.0/` at the start of a vote and `jakartawombat-1006/jakarta/wombat/2.0/` at the end of a vote.  The people who voted at the beginning and the people who voted at the end would have voted for completely different binaries.
> 
> I appreciate this is a lot of information to digest.
> 
>

Follow-Ups:
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins

References:
- [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: Bill Shannon
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: Kevin Sutter
- Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
  - From: David Blevins

Prev by Date: Re: [jakarta.ee-spec.committee] Other version mismatches beyond JACC
Next by Date: Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
Previous by thread: Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
Next by thread: Re: [jakarta.ee-spec.committee] Votes and Staging Repo Expirations
Index(es):
- Date
- Thread

Breadcrumbs