impala-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Armstrong <tarmstr...@cloudera.com>
Subject Re: [VOTE] 2.10.0 release candidate 1 (RC1)
Date Tue, 29 Aug 2017 00:51:40 GMT
Matt Mulder just found a fairly nasty bug in RC1:
https://issues.apache.org/jira/browse/IMPALA-5855 . It seems like we should
probably generate a new RC once that is fixed.

On Mon, Aug 28, 2017 at 11:46 AM, Bharath Vissapragada <
bharathv@cloudera.com> wrote:

> Thanks Todd for the quick help. I read more about it and I found this link
> [1] interesting. So, looks like we need to grow our "web of trust" and one
> way I think is to trust the keys of RMs in the KEYS file, especially given
> they have write permission to the directory and could update that file. As
> per the link I mentioned, this doesn't look like a standard Apache
> practice, but I don't see any other way (please correct me if I'm wrong).
>
> [1] https://mirror-vm.apache.org/~henkp/trust/
>
> On Mon, Aug 28, 2017 at 11:14 AM, Todd Lipcon <todd@apache.org> wrote:
>
> > Hey Bharath,
> >
> > Take a look at https://www.apache.org/dev/release-signing.html#web-of-
> > trust -- it has some info on the GPG "web of trust". Basically, you need
> > to either directly trust Jim's key 6850196C, or you need to trust someone
> > who trusts him, etc. If you haven't yourself signed or trusted anyone's
> > keys, then no one's signature will be considered trusted for you.
> >
> > Typically projects also publish a KEYS file in their distribution
> > directory which would be able to verify that the signing key at least
> > matches the one that was uploaded via ASF infrastructure.
> >
> > -Todd
> >
> > On Mon, Aug 28, 2017 at 11:09 AM, Bharath Vissapragada <
> > bharathv@cloudera.com> wrote:
> >
> >> + mentors
> >>
> >> Thanks for testing the release Matt. I ran into the same issue while
> >> testing it myself. So I double checked older releases 2.9.0 and 2.8.0
> and I
> >> saw the same behavior.
> >>
> >> gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc
> >> apache-impala-incubating-2.9.0.tar.gz
> >> gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID
> >> 9522D0F3
> >> gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) <
> >> tarasbob@apache.org>"
> >> gpg: WARNING: This key is not certified with a trusted signature!
> >> gpg:          There is no indication that the signature belongs to the
> >> owner.
> >> Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421  EEA9 8F3F 86FA 9522
> >> D0F3
> >>
> >> gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc
> >> apache-impala-incubating-2.8.0.tar.gz
> >> gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID
> >> 6850196C
> >> gpg: Good signature from "Jim Apple (CODE SIGNING KEY) <
> >> jbapple@apache.org>"
> >> gpg: WARNING: This key is not certified with a trusted signature!
> >> gpg:          There is no indication that the signature belongs to the
> >> owner.
> >> Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E  4601 91EE 4306 6850
> >> 196C
> >>
> >> I tried to dig into it and this looks like a pretty common problem [1].
> >> But, I'm not totally sure about the standard practices to make a key
> >> trusted. Does anyone else in the community knows what are the best
> >> practices around this and how it works with other Apache projects?
> >>
> >> [1] https://serverfault.com/questions/569911/how-to-verify-
> >> an-imported-gpg-key
> >>
> >>
> >> On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <mj@cloudera.com>
> wrote:
> >>
> >>> Bharath, is your key set up correctly?
> >>>
> >>> Running the script on
> >>> https://cwiki.apache.org/confluence/display/IMPALA/How+to+Re
> >>> lease#HowtoRelease-HowtoVoteonaReleaseCandidate
> >>> resulted in this warning indicating that your signature is not
> >>> trusted:
> >>>
> >>> gpg: WARNING: This key is not certified with a trusted signature!
> >>> gpg:          There is no indication that the signature belongs to the
> >>> owner.
> >>>
> >>> Maybe someone who has RM'd before can comment on this.
> >>>
> >>>
> >>> ...
> >>> gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY)
> >>> <jbapple@apache.org>" imported
> >>> gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY)
> >>> <tarasbob@apache.org>" imported
> >>> gpg: key 64DAB27C: public key "Bharath Vissapragada
> >>> <bharathv@apache.org>" imported
> >>> gpg: Total number processed: 3
> >>> gpg:               imported: 3  (RSA: 3)
> >>> gpg: no ultimately trusted keys found
> >>> + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' for
> >>> '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then
> >>> '\''q'\'' for '\''quit'\'''
> >>> If in an interactive shell, At the prompt, enter '5' for 'I trust
> >>> ultimately', then 'y' for 'yes', then 'q' for 'quit'
> >>> + [[ ehuxB == *i* ]]
> >>> + echo 'Download the release artifacts:'
> >>> Download the release artifacts:
> >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
> >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
> >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz
> >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
> >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
> >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc
> >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
> >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
> >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5
> >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
> >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
> >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512
> >>> + echo 'Check the checksums:'
> >>> Check the checksums:
> >>> + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5
> >>> apache-impala-incubating-2.10.0.tar.gz: OK
> >>> + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512
> >>> apache-impala-incubating-2.10.0.tar.gz: OK
> >>> + echo 'Check the signature:'
> >>> Check the signature:
> >>> + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc
> >>> apache-impala-incubating-2.10.0.tar.gz
> >>> gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID
> >>> 64DAB27C
> >>> gpg: Good signature from "Bharath Vissapragada <bharathv@apache.org>"
> >>> gpg: WARNING: This key is not certified with a trusted signature!
> >>> gpg:          There is no indication that the signature belongs to the
> >>> owner.
> >>>
> >>> On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada
> >>> <bharathv@cloudera.com> wrote:
> >>> > This is a vote to release Impala 2.10.0.
> >>> >
> >>> > - The artefacts for testing can be downloaded from <
> >>> > https://dist.apache.org/repos/dist/dev/incubator/impala/2.10.0/RC1/
> >.
> >>> >
> >>> > - The git tag for this release candidate is 2.10.0-rc1 and tree hash
> is
> >>> > visible at
> >>> > <
> >>> > https://git-wip-us.apache.org/repos/asf?p=incubator-impala.g
> >>> it;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef
> >>> >>
> >>> >
> >>> > Please vote +1 or -1. -1 votes should be accompanied by an
> explanation
> >>> of
> >>> > the reason. Only PPMC members and mentors have binding votes, but
> other
> >>> > community members are encouraged to cast non-binding votes. This vote
> >>> will
> >>> > pass if there are 3 binding +1 votes and more binding +1 votes than
> -1
> >>> > votes.
> >>> >
> >>> > This wiki page describes how to check the release before you vote:
> >>> > *https://cwiki.apache.org/confluence/display/IMPALA/How+to+R
> >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate
> >>> > <https://cwiki.apache.org/confluence/display/IMPALA/How+to+R
> >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate>*
> >>> >
> >>> > The vote will be open until the end of Wednesday, August 30, Pacific
> >>> time
> >>> > zone (UTC-08:00).
> >>> > Once the vote passes the Impala PPMC vote, it still must pass the
> >>> incubator
> >>> > PMC vote before a release is made.
> >>>
> >>
> >>
> >
> >
> > --
> > Todd Lipcon
> > Software Engineer, Cloudera
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message