ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Boudnik <...@apache.org>
Subject Re: [VOTE] Apache Ignite 2.1.0 RC3
Date Mon, 24 Jul 2017 18:04:41 GMT
Got it. Thank you for the understanding and readiness to deal with the
finding - that might not look like a big issues for us, but could
alert some of the users. I will be happy to jump on another
verification cycle as soon as it is available. Please let me know if I
can help with anything.

With best regards,
  Cos
--
  With regards,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616  6115 220F 6980 1F27 E622

Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.


On Mon, Jul 24, 2017 at 10:46 AM, Denis Magda <dmagda@apache.org> wrote:
> Hi Cos,
>
>>  Which tells me that the private key is simply shared by a number of the
>>  committers. And there's no guarantee that it hasn't been leaked outside of
>>  the group. And that's pretty serious security flaw, actually.
>
> That’s not the case. Sam signed and did final technical steps preparing the RC3. I
took care of other formalities.
>
> Personally, did expect this to be an issue. Agree, let’s fix the process making sure
the release manager signs bundles all the times.
>
>> - why every other RC Vote is started by a different person?
>
>
> Summer time, vacations, day offs…
>
> —
> Denis
>
>> On Jul 22, 2017, at 1:26 PM, Konstantin Boudnik <cos@apache.org> wrote:
>>
>> Retracting this, found the KEYS (douh...). Still
>>
>> -1 (binding). The release isn't signed by the release manager. Someone else
>> key is used.
>>
>> - Checked the sha1
>> - Successfully ran the build
>> - Checked the signature
>> - The archive is signed by the key 593A743B belonging to sboikov@apache.org.
>>  However, none of the 2.1.0 RC [VOTE] attempts were started by this person.
>>  Which tells me that the private key is simply shared by a number of the
>>  committers. And there's no guarantee that it hasn't been leaked outside of
>>  the group. And that's pretty serious security flaw, actually.
>>
>>  Why the release managers aren't using their own keys? It is easy to generate
>>  and sign the keys following guidelines [1]. Committers' keys are easy to
>>  validate against the Apache repository [2]
>>
>> Things that need to be improved in the next release:
>> - neither sha1 nor md5 are trustful checksum'ing methods and aren't
>>  guaranteeing the authenticity of the source archive. We should be switching
>>  to at least sha265 or higher. This has been brought up since the incubation.
>>  And warrants for -1 in the next release.
>> - why every other RC Vote is started by a different person?
>>
>> With regards,
>>  Cos
>>
>> [1] https://people.apache.org/keys/committer/
>> [2] https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
>>
>> On Sat, Jul 22, 2017 at 01:00PM, Konstantin Boudnik wrote:
>>> Am I missing the location of the signing keys? I cannot verivy the signature
>>> of the archive.
>>>
>>> -1 (binding) until then.
>>>
>>> Thanks
>>>  Cos
>>>
>>> On Thu, Jul 20, 2017 at 03:34PM, Denis Magda wrote:
>>>> Igniters,
>>>>
>>>> Setting off the vote one more time. Hope I’ll be successful this time,
keeping fingers crossed :)
>>>>
>>>> We have uploaded a 2.1.0 release candidate to
>>>> https://dist.apache.org/repos/dist/dev/ignite/2.1.0-rc3/
>>>>
>>>> Git tag name is
>>>> 2.1.0-rc3
>>>>
>>>> This release includes the following changes:
>>>>
>>>> Ignite:
>>>> * Persistent cache store
>>>> * Added IgniteFuture.listenAsync() and IgniteFuture.chainAsync() mehtods
>>>> * Deprecated IgniteConfiguration.marshaller
>>>> * Updated Lucene dependency to version 5.5.2
>>>> * Machine learning: implemented K-means clusterization algorithm optimized
>>>> for distributed storages
>>>> * SQL: CREATE TABLE and DROP TABLE commands support
>>>> * SQL: New thin JDBC driver
>>>> * SQL: Improved performance of certain queries, when affinity node can be
>>>> calculated in advance
>>>> * SQL: Fixed return type of AVG() function
>>>> * SQL: BLOB type support added to thick JDBC driver
>>>> * SQL: Improved LocalDate, LocalTime and LocalDateTime support for Java 8
>>>> * SQL: Added FieldsQueryCursor interface to get fields metadata for
>>>> SqlFieldsQuery
>>>> * ODBC: Implemented DML statement batching
>>>> * Massive performance and stability improvements
>>>>
>>>> Ignite.NET:
>>>> * Automatic remote assembly loading
>>>> * NuGet-based standalone node deployment
>>>> * Added conditional data removeal via LINQ DeleteAll
>>>> * Added TimestampAttribute to control DateTime serialization mode
>>>> * Added local collections joins support to LINQ.
>>>>
>>>> Ignite CPP:
>>>> * Added Compute::Call and Compute::Broadcast methods
>>>>
>>>> Web Console:
>>>> * Implemented support for UNIQUE indexes for key fields on import model
>>>> from RDBMS
>>>> * Added option to show full stack trace on Queries screen
>>>> * Added PK alias generation on Models screen.
>>>>
>>>> Complete list of closed issues:
>>>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND%
>>>> 20fixVersion%20%3D%202.1%20AND%20(status%20%3D%20closed%20or%20status%20%3D%
>>>> 20resolved)
>>>>
>>>> DEVNOTES
>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=DEVNOTES.txt;hb=refs/tags/2.1.0-rc3
>>>>
>>>> RELEASE NOTES
>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=RELEASE_NOTES.txt;hb=refs/tags/2.1.0-rc3
>>>>
>>>> Please start voting.
>>>>
>>>> +1 - to accept Apache Ignite 2.1.0-rc3
>>>> 0 - don't care either way
>>>> -1 - DO NOT accept Apache Ignite 2.1.0-rc3 (explain why)
>>>>
>>>> This vote will go for 72 hours.
>>>>
>>>> —
>>>> Denis
>>>>
>>
>>
>

Mime
View raw message