Document known warnings

With the change to Tycho 3.x the number of warnings in the build went
up approx 20-fold.

Part of #38

RELEASING.md

@@ -67,8 +67,12 @@ This checklist is only used once per release cycle. Scroll down for the per-mile
 - [ ] Run a [CI build](https://ci.eclipse.org/packaging/job/simrel.epp-tycho-build/) that includes the above changes.
 - [ ] Disable the [CI build](https://ci.eclipse.org/packaging/job/simrel.epp-tycho-build/) so that the build results are not overwritten while doing the promotion. You can disable the project once it has fully started running, you don't have to wait for the build to finish.
 - [ ] Check that there are no unexpected warnings in the console output. Especially look for warnings about failure to sign.
-  - Warnings about Mirror tool seem to be ok and can be ignored. In a historically good build there is one `[WARNING] Mirror tool: Messages while mirroring artifact descriptors.` per package
-  - Warning about pack200 like `Pack200 is not supported when running on Java 14 and higher` should be resolved by upgrading to Tycho 3.0.0 when we are ready
+  - The following warnings are known to be OK but ideally should be fixed at some point
+    - Warnings about Mirror tool seem to be ok and can be ignored. In a historically good build there is one `[WARNING] Mirror tool: Messages while mirroring artifact descriptors.` per package
+    - `A terminally deprecated method in java.lang.System has been called` is OK when it is about setSecurityManager from ANT. When the security manager goes away for real we'll have to resolve this issue.
+    - `The digest algorithms (md5) used to verify` is OK to ignore because we pull from SimRel. Over time there should be less of these warnings as projects rebuild their old repos to have modern signing. These warnings are typically seen on bundles which are old, such as `org.eclipse.update.feature,org.eclipse.license,2.0.2.v20181016-2210`
+    - `No digest algorithm is available to verify download` is OK to ignore when the bundles are the ones generated by the EPP build itself (such as `org.eclipse.epp.package.common.feature` or `epp.package.cpp.executable.gtk.linux.aarch64`)
+    - Other warnings may be fine as well, as of the writing of this note there are 206 warnings in the build.
   - If warnings about signings occur that leave the dmg unsigned and the build does not fail, please reopen [Bug 567916](https://bugs.eclipse.org/bugs/show_bug.cgi?id=567916)
 - [ ] Run the [Notarize MacOSX Downloads](https://ci.eclipse.org/packaging/job/notarize-downloads/) CI job to notarize DMG packages on download.eclipse.org. _This can be done after promotion if time is tight or the notarization fails repeatedly. See [Bug 571669](https://bugs.eclipse.org/bugs/show_bug.cgi?id=571669) for an example of failures._ - [ ] Check the build script output to make sure that the curl calls were successful (e.g. no `curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2) ` messages) - If there is an error like the above the .dmg file that is copied to download.eclipse.org is corrupt. Run [notarize-prepare-to-redo](https://ci.eclipse.org/packaging/job/notarize-prepare-to-redo/) to rename the -signed file back to -tonotarize and then re-run the [notarize job](https://ci.eclipse.org/packaging/job/notarize-downloads/)
 - Other notes about notarization