accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: [VOTE] Accumulo 1.7.2-rc2
Date Sun, 19 Jun 2016 22:56:23 GMT
For what it's worth, the key owner can add or update the expiration date. I
think it's a good idea to expire, and I'd encourage everyone to do so, but
the main thing is to ensure they still have exclusive control of the
private key, and that's hard to prove.

I update my expiration date every few years.

On Sun, Jun 19, 2016, 16:07 Josh Elser <josh.elser@gmail.com> wrote:

>
>
> Dylan Hutchison wrote:
> > +1 with notes below~
> >
> > * NOTICE and LICENSE look good to my inexperienced eyes.
> > * Source-compiled binary tar.gz matches the binary tar.gz artifact,
> except
> > for META-INF entries.
> > * Unit tests pass.
> > * Good checksums and sigs. Fingerprint matches Mike's key.
> > * Graphulo tests pass.
>
> Yay, API compatibility :)
>
> > * Sunny integration tests pass on a single-node standalone deployment.
> > Tested on Zookeeper 3.4.6 and both Hadoop 2.4.1 and 2.7.2.
> >
> > Notes / Questions:
> >
> >     1. On the ITs: for some reason I can't figure out, the "stop Accumulo
> >     processes" part of ReadWriteIT#sunnyDay gives me trouble when I run
> it
> >     alongside the others, but it passes when I run it alone.  Similar
> story for
> >     ExamplesIT#testBulkIngest.
>
> Interesting. Are you setting forkMode > 1? Or running multiple
> invocations of the build at the same time? I wouldn't be surprised if
> some of the logic we have to 'test' is actually wrong when we have
> concurrent processes running, but I'm not sure why these two in
> particular would have troubles.
>
> >     2. On diffing the source-built binary with the binary artifact: it
> seems
> >     the source-built binary has more license information in
> >     the META-INF/DEPENDENCIES than the binary artifact, in addition to a
> few of
> >     the entries being permuted.  This holds true for all the jars except
> >     accumulo-fate.jar.  Here is a pastebin for the source-built binary
> deps
> >     <http://pastebin.com/HJZB2See>, and a pastebin for the binary
> artifact
> >     deps<http://pastebin.com/nKfxWd2c>  for accumulo-core.jar.  Here is
> > a pastebin
> >     of their diff<http://pastebin.com/jYtggRLK>.  I don't know how
> >     significant the difference is; maybe Sean or Christopher could
> comment.
>
> This is probably due to the difference in the release-process creation
> of the binary tarball and what gets built when you just do a `mvn
> package` on your computer (e.g. activating the 'apache-release' Maven
> profile). I also see findbugs in the list, so that's likely unintended.
>
> Overall, for the purposes of the ASF licensing, the DEPENDENCIES file is
> a "nice to have" (LICENSE and NOTICE are the ones we really need to get
> right).
>
> Also, with your commit bit, you can also use paste.apache.org if you
> want to avoid the ads on pastebin :)
>
> >     3. Is it good practice to use a code-signing key with no expiration
> date?
>
> As I understand it, it's not bad like a non-expiring password, but it's
> good to have an expiration date. If you do lose/compromise your key, at
> least everyone knows that there is a certain date the key is no longer
> valid. It's also easy to extend the validity of your key, IIRC.
>
> >
> >
> > On Fri, Jun 17, 2016 at 9:31 PM, Mike Drob<mdrob@apache.org>  wrote:
> >
> >> Accumulo Developers,
> >>
> >> Please consider the following candidate for Accumulo 1.7.2.
> >>
> >> All content generated via
> >>      assemble/build.sh --create-release-candidate -P '!thrift'
> >>
> >> Changes from 1.7.2-rc1
> >>
> >> ACCUMULO-4346 correct LICENSE file for source to include text of
> reference
> >> ACCUMULO-4347 Crypto notification should be in README files instead of
> >> NOTICE
> >>
> >> Git Commit:
> >>      a01e67741d101c3d87f1d6e16d54ff7a96951ad0
> >> Branch:
> >>      1.7.2-rc2
> >>
> >> If this vote passes, a gpg-signed tag will be created using:
> >>      git tag -f -m 'Apache Accumulo 1.7.2' -s rel/1.7.2
> >> a01e67741d101c3d87f1d6e16d54ff7a96951ad0
> >>
> >> Staging repo:
> >>
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1052
> >> Source (official release artifact):
> >>
> >>
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/org/apache/accumulo/accumulo/1.7.2/accumulo-1.7.2-src.tar.gz
> >> Binary:
> >>
> >>
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/org/apache/accumulo/accumulo/1.7.2/accumulo-1.7.2-bin.tar.gz
> >> (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
> >> given artifact.)
> >>
> >> All artifacts were built and staged with:
> >>      mvn release:prepare&&  mvn release:perform
> >>
> >> Signing keys are available at https://www.apache.org/dist/accumulo/KEYS
> >> (Expected fingerprint: 86EDB9C33B8517228E88A8F93E48C0C6EF362B9E)
> >>
> >> Release notes (in progress) can be found at:
> >> https://accumulo.apache.org/release_notes/1.7.2
> >>
> >> Please vote one of:
> >> [ ] +1 - I have verified and accept...
> >> [ ] +0 - I have reservations, but not strong enough to vote against...
> >> [ ] -1 - Because..., I do not accept...
> >> ... these artifacts as the 1.7.2 release of Apache Accumulo.
> >>
> >> This vote will end on Tue Jun 21 05:00:00 UTC 2016
> >> (Tue Jun 21 01:00:00 EDT 2016 / Mon Jun 20 22:00:00 PDT 2016)
> >>
> >> Thanks!
> >>
> >> P.S. Hint: download the whole staging repo with
> >>      wget -erobots=off -r -l inf -np -nH \
> >>
> >>
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1052/
> >>      # note the trailing slash is needed
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message