Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 680D0200B11 for ; Mon, 13 Jun 2016 21:17:26 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6674B160A3C; Mon, 13 Jun 2016 19:17:26 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B0611160A1A for ; Mon, 13 Jun 2016 21:17:25 +0200 (CEST) Received: (qmail 52458 invoked by uid 500); 13 Jun 2016 19:17:24 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 52447 invoked by uid 99); 13 Jun 2016 19:17:24 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Jun 2016 19:17:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D4DFA1A0C13 for ; Mon, 13 Jun 2016 19:17:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.299 X-Spam-Level: X-Spam-Status: No, score=0.299 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id vtLxWKrdi3Fm for ; Mon, 13 Jun 2016 19:17:21 +0000 (UTC) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 29A005F2F2 for ; Mon, 13 Jun 2016 19:17:21 +0000 (UTC) Received: from mfilter25-d.gandi.net (mfilter25-d.gandi.net [217.70.178.153]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id 23C5DFB8A7 for ; Mon, 13 Jun 2016 21:17:15 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter25-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter25-d.gandi.net (mfilter25-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id GRHZL5jjyegR for ; Mon, 13 Jun 2016 21:17:13 +0200 (CEST) X-Originating-IP: 82.238.224.4 Received: from [192.168.134.12] (bre91-1-82-238-224-4.fbx.proxad.net [82.238.224.4]) (Authenticated sender: jb@nanthrax.net) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id A1F34FB887 for ; Mon, 13 Jun 2016 21:17:13 +0200 (CEST) Subject: Re: [VOTE] Release Apache Beam, version 0.1.0-incubating To: general@incubator.apache.org References: <47B44D85-BE01-42F9-96C6-43FF23E31176@apache.org> From: =?UTF-8?Q?Jean-Baptiste_Onofr=c3=a9?= Message-ID: <575F06B8.70507@nanthrax.net> Date: Mon, 13 Jun 2016 21:17:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit archived-at: Mon, 13 Jun 2016 19:17:26 -0000 Hi Marvin, thanks for the feedback. I will push the KEYS on dist.a.o. Regards JB On 06/13/2016 09:08 PM, Marvin Humphrey wrote: > On Mon, Jun 13, 2016 at 11:37 AM, Julian Hyde wrote: > >> 2. It’s customary (required?) for there to be a KEYS file in >> https://dist.apache.org/repos/dist/dev/incubator/beam/ >> . Maybe include it >> next release? > > The KEYS file is required, by Release Distribution Policy. > > http://www.apache.org/dev/release-distribution#sigs-and-sums > > Projects MUST publish a "KEYS" file in their distribution directory which > contains all public keys used to sign artifacts. > > Signing keys used at Apache MUST be published in the KEYS file and SHOULD be > made available through the global public keyserver network. [...] > > Since the KEYS file is not part of the artifacts being voted on, there's no > reason to wait to resolve this issue by committing the keys file to the > following location: > > https://dist.apache.org/repos/dist/release/incubator/beam/KEYS > >> But I imported >> https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS >> >> easily enough. > > Bundling PGP keys inside a package is worse than worthless -- an attacker can > just bundle spoofed keys with a bogus distro! Keys need to be made available > from a highly reliable, separate server: Download the main package from a > mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify. > > The KEYS file within the Beam source tree should be deleted. > > (This doesn't block the release.) > > Marvin Humphrey > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > -- Jean-Baptiste Onofré jbonofre@apache.org http://blog.nanthrax.net Talend - http://www.talend.com --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org