ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: [VOTE] Apache Ignite 2.1.0 RC3
Date Mon, 24 Jul 2017 18:12:35 GMT
Cos,

I’ll highly appreciate if you double-check that RC4 is clean and no longer have any issues
revealed by you:
http://apache-ignite-developers.2346864.n4.nabble.com/VOTE-Apache-Ignite-2-1-0-RC4-td19969.html
<http://apache-ignite-developers.2346864.n4.nabble.com/VOTE-Apache-Ignite-2-1-0-RC4-td19969.html>

—
Denis

> On Jul 24, 2017, at 11:04 AM, Konstantin Boudnik <cos@apache.org> wrote:
> 
> Got it. Thank you for the understanding and readiness to deal with the
> finding - that might not look like a big issues for us, but could
> alert some of the users. I will be happy to jump on another
> verification cycle as soon as it is available. Please let me know if I
> can help with anything.
> 
> With best regards,
>  Cos
> --
>  With regards,
> Konstantin (Cos) Boudnik
> 2CAC 8312 4870 D885 8616  6115 220F 6980 1F27 E622
> 
> Disclaimer: Opinions expressed in this email are those of the author,
> and do not necessarily represent the views of any company the author
> might be affiliated with at the moment of writing.
> 
> 
> On Mon, Jul 24, 2017 at 10:46 AM, Denis Magda <dmagda@apache.org> wrote:
>> Hi Cos,
>> 
>>> Which tells me that the private key is simply shared by a number of the
>>> committers. And there's no guarantee that it hasn't been leaked outside of
>>> the group. And that's pretty serious security flaw, actually.
>> 
>> That’s not the case. Sam signed and did final technical steps preparing the RC3.
I took care of other formalities.
>> 
>> Personally, did expect this to be an issue. Agree, let’s fix the process making
sure the release manager signs bundles all the times.
>> 
>>> - why every other RC Vote is started by a different person?
>> 
>> 
>> Summer time, vacations, day offs…
>> 
>> —
>> Denis
>> 
>>> On Jul 22, 2017, at 1:26 PM, Konstantin Boudnik <cos@apache.org> wrote:
>>> 
>>> Retracting this, found the KEYS (douh...). Still
>>> 
>>> -1 (binding). The release isn't signed by the release manager. Someone else
>>> key is used.
>>> 
>>> - Checked the sha1
>>> - Successfully ran the build
>>> - Checked the signature
>>> - The archive is signed by the key 593A743B belonging to sboikov@apache.org.
>>> However, none of the 2.1.0 RC [VOTE] attempts were started by this person.
>>> Which tells me that the private key is simply shared by a number of the
>>> committers. And there's no guarantee that it hasn't been leaked outside of
>>> the group. And that's pretty serious security flaw, actually.
>>> 
>>> Why the release managers aren't using their own keys? It is easy to generate
>>> and sign the keys following guidelines [1]. Committers' keys are easy to
>>> validate against the Apache repository [2]
>>> 
>>> Things that need to be improved in the next release:
>>> - neither sha1 nor md5 are trustful checksum'ing methods and aren't
>>> guaranteeing the authenticity of the source archive. We should be switching
>>> to at least sha265 or higher. This has been brought up since the incubation.
>>> And warrants for -1 in the next release.
>>> - why every other RC Vote is started by a different person?
>>> 
>>> With regards,
>>> Cos
>>> 
>>> [1] https://people.apache.org/keys/committer/
>>> [2] https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
>>> 
>>> On Sat, Jul 22, 2017 at 01:00PM, Konstantin Boudnik wrote:
>>>> Am I missing the location of the signing keys? I cannot verivy the signature
>>>> of the archive.
>>>> 
>>>> -1 (binding) until then.
>>>> 
>>>> Thanks
>>>> Cos
>>>> 
>>>> On Thu, Jul 20, 2017 at 03:34PM, Denis Magda wrote:
>>>>> Igniters,
>>>>> 
>>>>> Setting off the vote one more time. Hope I’ll be successful this time,
keeping fingers crossed :)
>>>>> 
>>>>> We have uploaded a 2.1.0 release candidate to
>>>>> https://dist.apache.org/repos/dist/dev/ignite/2.1.0-rc3/
>>>>> 
>>>>> Git tag name is
>>>>> 2.1.0-rc3
>>>>> 
>>>>> This release includes the following changes:
>>>>> 
>>>>> Ignite:
>>>>> * Persistent cache store
>>>>> * Added IgniteFuture.listenAsync() and IgniteFuture.chainAsync() mehtods
>>>>> * Deprecated IgniteConfiguration.marshaller
>>>>> * Updated Lucene dependency to version 5.5.2
>>>>> * Machine learning: implemented K-means clusterization algorithm optimized
>>>>> for distributed storages
>>>>> * SQL: CREATE TABLE and DROP TABLE commands support
>>>>> * SQL: New thin JDBC driver
>>>>> * SQL: Improved performance of certain queries, when affinity node can
be
>>>>> calculated in advance
>>>>> * SQL: Fixed return type of AVG() function
>>>>> * SQL: BLOB type support added to thick JDBC driver
>>>>> * SQL: Improved LocalDate, LocalTime and LocalDateTime support for Java
8
>>>>> * SQL: Added FieldsQueryCursor interface to get fields metadata for
>>>>> SqlFieldsQuery
>>>>> * ODBC: Implemented DML statement batching
>>>>> * Massive performance and stability improvements
>>>>> 
>>>>> Ignite.NET:
>>>>> * Automatic remote assembly loading
>>>>> * NuGet-based standalone node deployment
>>>>> * Added conditional data removeal via LINQ DeleteAll
>>>>> * Added TimestampAttribute to control DateTime serialization mode
>>>>> * Added local collections joins support to LINQ.
>>>>> 
>>>>> Ignite CPP:
>>>>> * Added Compute::Call and Compute::Broadcast methods
>>>>> 
>>>>> Web Console:
>>>>> * Implemented support for UNIQUE indexes for key fields on import model
>>>>> from RDBMS
>>>>> * Added option to show full stack trace on Queries screen
>>>>> * Added PK alias generation on Models screen.
>>>>> 
>>>>> Complete list of closed issues:
>>>>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND%
>>>>> 20fixVersion%20%3D%202.1%20AND%20(status%20%3D%20closed%20or%20status%20%3D%
>>>>> 20resolved)
>>>>> 
>>>>> DEVNOTES
>>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=DEVNOTES.txt;hb=refs/tags/2.1.0-rc3
>>>>> 
>>>>> RELEASE NOTES
>>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=RELEASE_NOTES.txt;hb=refs/tags/2.1.0-rc3
>>>>> 
>>>>> Please start voting.
>>>>> 
>>>>> +1 - to accept Apache Ignite 2.1.0-rc3
>>>>> 0 - don't care either way
>>>>> -1 - DO NOT accept Apache Ignite 2.1.0-rc3 (explain why)
>>>>> 
>>>>> This vote will go for 72 hours.
>>>>> 
>>>>> —
>>>>> Denis
>>>>> 
>>> 
>>> 
>> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message