eclipse-ee4j/angus-mail

Conflicting version numbers and release dates

XSpielinbox opened this issue · 5 comments

XSpielinbox commented

Describe the bug
There are multiple conflicting release dates for version 1.0.0 and it is unclear what's the reasoning behind version 2.0.0, 1.1.0 and 1.0.1:

  • The website lists version 1.0.0 as the newest release, released on the 14th of December 2022. The next version is stated to be 2.0.0.
  • According to Maven Repository the latest releases is 1.0.0 from the 15th of February 2022.
  • The GitHub Tags page dates version 1.0.0 to the 18th of January 2022 and the newest version is listed as 1.1.0.
  • The GitHub Releases page dates the version 1.0.0 to the 31th of August 2022 as the latest release.
  • as stated in #57 the changelogs once state 1.1.0 and once 1.0.1 as the next release.

Expected behavior
Every possible source lists the exact same release date for a given version and there is consensus about the next version after 1.0.0.

Additional Context
To determine whether one is affected by e.g. CVE-2021-44549 too, it would be necessary to know exactly what version one is using and in what version certain changes have been made.

lukasj commented
  • The website lists version 1.0.0 as the newest release, released on the 14th of December 2022. The next version is stated to be 2.0.0.

1.0.0 was released in 2021, not 2022. I guess that is just a typo here. At this point it was clear that the next version will be 2.0.0 to allow specific breaking changes

  • According to Maven Repository the latest releases is 1.0.0 from the 15th of February 2022.

this is the date when the binary was built and not the release date. Should be older that the date on the web by some 7-10 days, but usually it is more

  • The GitHub Tags page dates version 1.0.0 to the 18th of January 2022 and the newest version is listed as 1.1.0.

tag creation does not imply immediate availability of the official release

  • The GitHub Releases page dates the version 1.0.0 to the 31th of August 2022 as the latest release.

the date matches the day when the release record on github was created. There is no way to change it if one forgets to publish it on the right day

there is and always will be a delay between the content of the VCS and the web site since the web site needs to be built from the content in the VCS

XSpielinbox commented

Thank you for the explanation.

This still does not make sense to me.
If the release date of version 1.0 was the 14th of December 2021, why is the binary on Maven Repository dated not a few days before but rather 2 month later?
Also: When looking at the timestamp directly in Central Repository it states the 18th of January 2022 (inline with GitHub Tags page), but about a month before the date Maven Repository states...

When are the Tags on GitHub created then? What does the Tag mean?

And when I understand you correctly it seems like there is an error in the changelog as the pull request #14 was made after the release on the web, GitHub tag and date of publishing on Maven Repostory/Central Repository and therefore would not be included in version 1.0?

lukasj commented

This still does not make sense to me. If the release date of version 1.0 was the 14th of December 2021, why is the binary on Maven Repository dated not a few days before but rather 2 month later?

14th Dec date was set by the parent project at some point during 2021 and this project was supposed to use it. Later on the release date was moved to September 22, 2022, so the project got more time for work & testing. As requirements from the parent project were changing, project had to do few respins

Also: When looking at the timestamp directly in Central Repository it states the 18th of January 2022 (inline with GitHub Tags page), but about a month before the date Maven Repository states...

Maven Central is the source of truth, mvnrepository is not

When are the Tags on GitHub created then? What does the Tag mean?

And when I understand you correctly it seems like there is an error in the changelog as the pull request #14 was made after the release on the web, GitHub tag and date of publishing on Maven Repostory/Central Repository and therefore would not be included in version 1.0?

it was planned to be included, yet the respin has not been done in time. Fixed in the change log already

XSpielinbox commented

14th Dec date was set by the parent project at some point during 2021 and this project was supposed to use it. Later on the release date was moved to September 22, 2022, so the project got more time for work & testing. As requirements from the parent project were changing, project had to do few respins

But then version 1.0.0 was ready earlier and got released 18th of January of 2022 or when was it released then? I cannot find the 22nd of September mentioned anywhere and wouldn't it be quite early to build a binary 8 month before release? Also if the actual release date was postponed from the 14th of December 2021, why does the website still state only that date? Isn't that confusing, especially as users are normally interested in the actual release date (only)?

it was planned to be included, yet the respin has not been done in time. Fixed in the change log already

Ah, ok. Thank you. It was #14 that was merged by the way not #12. Also if this was only changed in version 1.1.0, this means that version 1.0.0 is also affected by the security issue outlined in CVE-2021-44549.

lukasj commented

14th Dec date was set by the parent project at some point during 2021 and this project was supposed to use it. Later on the release date was moved to September 22, 2022, so the project got more time for work & testing. As requirements from the parent project were changing, project had to do few respins

But then version 1.0.0 was ready earlier and got released 18th of January of 2022 or when was it released then?

Built on Jan 18, sent from staging to central likely during end of Feb/beginning of March

I cannot find the 22nd of September mentioned anywhere and wouldn't it be quite early to build a binary 8 month before release?

https://jakarta.ee/news/jakarta-ee-10-released/

Also if the actual release date was postponed from the 14th of December 2021, why does the website still state only that date? Isn't that confusing, especially as users are normally interested in the actual release date (only)?

the date was changed few times every quarter. Given number of projects affected and people involved, it is not feasible to keep everything updated after each and every change in the plan

it was planned to be included, yet the respin has not been done in time. Fixed in the change log already

Ah, ok. Thank you. It was #14 that was merged by the way not #12. Also if this was only changed in version 1.1.0, this means that version 1.0.0 is also affected by the security issue outlined in CVE-2021-44549.

#12 is an issue, #14 is a PR fixing it. Changelog is supposed to list bugs and not PRs, if possible