bigtop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <penn...@uu.nl>
Subject Re: Fwd: Re: An ASF yum repository?
Date Sat, 25 Feb 2012 00:44:22 GMT
On Fri, 24 Feb 2012, Bruno Mahé wrote:

> Date: Fri, 24 Feb 2012 22:43:15 +0100
> From: Bruno Mahé <bmahe@apache.org>
> To: bigtop-dev@incubator.apache.org
> Cc: Steve Loughran <stevel@apache.org>, Henk P. Penning <penning@uu.nl>
> Subject: Re: Fwd: Re: An ASF yum repository?
> 
> Some questions for our dear mentors:
>
> * Given that we are targeting a release by end of march, is it ok to let
> the current convenience artefacts as is but make sure everything will be
> signed from now on?
>
> * The previous convenience packages were not signed but the ones for the
> coming release will be. That means packages/repositories metadata will
> contain a signed checksum of the artefacts. Therefore signing files such
> as
> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
> wouldn't achieve anything but make the checker script happy since no
> user or package management would knows about such signature required by
> the checker script. Signing any file to make the checker script happy is
> absolutely fine if it is used by Apache infra to ensure files integrity,
> but it has be noted no one but package management systems will look at
> these tarballs. The only thing looking at these signature will be the
> checker script. So as part of the release process, is signing these
> tarball for the checker script a requirement?

   Yes.

   1. Of course "keeping the checker script happy" isn't the real
      reason, but if that's your motivation : fine.

      The real reason is the rule :

        Every artifact distributed by the Apache Software Foundation
        should and every new one must be accompanied by one file
        containing an OpenPGP compatible ASCII armored detached
        signature and another file containing an MD5 checksum.

      which is motivated here : Why We Sign Releases :

        http://www.apache.org/dev/release-signing.html#motivation

      The checker just tries to verify that the rules are kept.

   2. The items with "missing sigs" mentioned in the checker page
      belong to some package repo you publish. It is clear that,
      according to the rules, these packages must be signed, or
      removed.

   Regards,

   HPP

> On 02/24/2012 09:59 AM, Steve Loughran wrote:
>>
>> Henk says that all the stuff in the repos should be signed, somehow...
>>
>> -------- Original Message --------
>> Subject: Re: An ASF yum repository?
>> Date: Fri, 24 Feb 2012 16:08:28 +0100
>> From: Henk P. Penning <penning@uu.nl>
>> To: Steve Loughran <stevel@apache.org>
>> CC: Graham Leggett <minfrin@sharp.fm>, Tony Stevenson
>> <pctony@apache.org>,        Apache Infrastructure
>> <infrastructure@apache.org>
>>
>> On Fri, 24 Feb 2012, Steve Loughran wrote:
>>
>>> Date: Fri, 24 Feb 2012 15:47:48 +0100
>>> From: Steve Loughran <stevel@apache.org>
>>> To: Graham Leggett <minfrin@sharp.fm>
>>> Cc: Tony Stevenson <pctony@apache.org>,
>>>     Apache Infrastructure <infrastructure@apache.org>
>>> Subject: Re: An ASF yum repository?
>>
>>   [ ... ]
>>
>>> Apache Bigtop sticks its artefacts out in the right layout -and
>>> mirrors these
>>> out to all the mirrors. Provided the directory trees get copied, it's
>>> just
>>> the signing problem left.
>>>
>>> http://www.apache.org/dist//incubator/bigtop/stable/repos/
>>
>> Hi,
>>
>>   bigtop is distributing unsigned stuff ; see
>>
>>     http://people.apache.org/~henkp/checker/sig.html#user-rvs
>>
>>   for instance
>>
>>
>> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
>>
>>
>>   Can you fix that ?
>>
>>   Regards,
>>
>>   Henk Penning
>>
>> ---------------------------------------------------------   _
>> Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ \_
>> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
>> Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 \_/ \_/
>> http://people.cs.uu.nl/henkp/          M penning@uu.nl     \_/
>
>

---------------------------------------------------------   _
Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/          M penning@uu.nl     \_/
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message