incubator-esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hirsch <hirsch.d...@gmail.com>
Subject Re: [VOTE] Approve the release of apache-esme-incubating-1.0
Date Wed, 17 Feb 2010 15:22:01 GMT
Working on the problerm with signing the release and I'm getting the same
problem that Bertrand describes. Maybe it is a difference between using SHA1
and SHA512. ..

I verified it and it looks OK:

C:\Program Files\GNU\GnuPG>gpg --verify
apache-esme-1-0-0-incubating.src.tar.gz.
asc apache-esme-1-0-0-incubating.src.tar.gz
gpg: Unterschrift vom 02/17/10 15:48:32 mittels RSA-Schl├╝ssel ID 6FACF917
gpg: Korrekte Unterschrift von "Richard Hirsch (CODE SIGNING KEY) <
rhirsch@apache.org>"

I signed the release with the following commands:

gpg --armor --output apache-esme-1-0-0-incubating.src.tar.gz.asc
--detach-sig apache-esme-1-0-0-incubating.src.tar.gz
gpg --print-md SHA512 apache-esme-1-0-0-incubating.src.tar.gz >
apache-esme-1-0-0-incubating.src.tar.gz.sha
gpg --print-md MD5 apache-esme-1-0-0-incubating.src.tar.gz >
apache-esme-1-0-0-incubating.src.tar.gz.md5


What I don't know how to do is verify using MD5 or SHA? I found this
sentence in the "Signing Releases" Apache Documen": "MD5 <#md5> and
SHA<#sha-checksum>checksums provide a simple, means of verifying the
integrity of a download.
You can simply create a checksum (in the same way as the release manager)
after download, and compare the result to the checksum downloaded from the
main Apache site. " but I have no idea how it is done.

The contents of the files are

* output apache-esme-1-0-0-incubating.src.tar.gz.asc:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iQIcBAABCgAGBQJLfAHAAAoJEItBUOZvrPkXfeQP/ie7n1axfF5xBb/HbtatCUzW
TbYIznhhLZ4xq1bitxA5clSveUnH7O8oRsEmCUBbzday90qHhZUzkVEspr30DB/5
j9Tx2+Ov09lShX+L24rKGeL9ReZ5YbiuSxh7WmaESlnSnP3J5NMsG7Um+v2ICyhb
NM1HUO7P1D5Xn9LZragOS0dt9VRAEb6h38rbBarRrFjKADf9gLqdkXmv7NgIWWwI
AFSJKzUATShT6u4sRJDlauSB0VS8NGfV4F+10OKsmIIHbMyDyTt01chr4KCXcjnf
siGHABBPBDUytjx648ohiXJPtmyovBTcqWtn3RF/dneSSCwibKgCGbJQgPCaWxvR
uh14gLTdSt2c4VMs0reychMh/fGfAumuPDL2voS+AHc1QCALRiePnqgfxVwW40nP
olQP5EPJpVr7vmOrOD29WgxEAlTqDsKLgTAkXAi1sPHpiHapDwu5PalaIMcmw8CS
ZBj39pdKFLUQkxgPU08nS/2n6BUcRkNpH6e4ngfQIltSaYN501CUrqi3nLMwx006
3zgTxm/ob6E6z13djolix2w0GQE6hkKDwesCj6K1h/sWp7y9rYiqIqS5A3WO+jAz
yij43gkNYzPnjr8Dz8mJM53FWWA+kQvF8E1iesIdTk1s5IaUno9ipqFSHv6wf1TQ
PfkCUjE05RyhSY3lDAmY
=Y4I/
-----END PGP SIGNATURE-----


* apache-esme-1-0-0-incubating.src.tar.gz.sha

apache-esme-1-0-0-incubating.src.tar.gz:
771A97EB 34FD26C1 D431E4EA D7D4FC4C 3971DB42 F50B0B66 C32D601F 70D450FB
06F73667
 8E118141 5A83C40A 84C1ABDF 808551DC 10949049 1962C634 FFBFAE69

* apache-esme-1-0-0-incubating.src.tar.gz.md5

apache-esme-1-0-0-incubating.src.tar.gz:
8E 43 0D DF F8 FE 15 9B  22 47 C2 C0 CC 30 21 2C

I then used this command: openssl sha1
apache-esme-1-0-0-incubating.src.tar.gz
SHA1(apache-esme-1-0-0-incubating.src.tar.gz)=
e87405b0df026fde41c65c31c11b8026c
a06687d

Does somebody have a clue if I'm doing something wrong...

Thanks.

D.

On Tue, Feb 16, 2010 at 5:28 PM, Bertrand Delacretaz <bdelacretaz@apache.org
> wrote:

> Hi,
>
> On Mon, Feb 15, 2010 at 4:05 PM, Richard Hirsch <hirsch.dick@gmail.com>
> wrote:
> > ...The candidate can be found at:
> >  http://people.apache.org/~rhirsch/esme/<http://people.apache.org/%7Erhirsch/esme/>
>
> Unfortunately I'm -1 on the release, I have a few issues including a
> GPL dependency.
>
> 1) jwebunit dependency is GPL
> The server module depends on
>
> net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:jar:1.4.1:test
>
> which according to http://jwebunit.sourceforge.net/license.html is GPL.
>
> 2) The sha1 digest does not match, did I do something wrong?
>
> $ openssl sha1 apache-esme-incubating-1.0-src.tar.gz
> SHA1(apache-esme-incubating-1.0-src.tar.gz)=
> a9ec8d95266d5944d493392a06eb1651c03222f1
>
> $ cat apache-esme-incubating-1.0-src.tar.gz.sha
> apache-esme-incubating-1.0-src.tar.gz: A53494C8 55474CE3 5AC20516 C2448CB6
>                                       64B3B76C 747BA64A FFC9A836 EDAB8D86
>                                       4E0735CC AA29ACA9 07767C58 D1C0FEDA
>                                       CA7E73A3 ADA3944D 464314B2 4BE0E476
>
> 3) mvn dependency:analyze of the server module shows lots of unused
> declared dependencies, those should be cleaned up, especially
> openDMK:jdmkrt:jar which according to https://opendmk.dev.java.net/ is
> either GPL or CDDL license. Not sure which parts of OpenDMK are which
> license, but as it's unused better remove it.
>
> 4) When trying to build esme-java-client with "mvn clean install" I
> get "Embedded error: Error while executing the external compiler" if
> JAVA_HOME is not set.
>
> 5) apache-esme-incubating-1.0-src.tar.gz contains .svn folders, it
> should not have that. You could have created the release using svn
> export of
> http://svn.apache.org/repos/asf/incubator/esme/tags/apache-esme-1.0-incubating/
> to avoid that.
>
> 6) I couldn't find license information for the
> com.twitter:stats:jar:1.3:compile dependency, was that checked to be
> ok?
>
> Sorry that I didn't have time to look at that during the ESME podling vote.
>
> Apart from the GPL dependency the release preparation looks mostly ok,
> rat reports are good, license/notice are provided, etc.
>
> -Bertrand
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message