incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <penn...@uu.nl>
Subject Re: [VOTE]: Apache HAWQ 2.3.0.0-incubating Release
Date Tue, 13 Mar 2018 17:34:59 GMT
On Tue, 13 Mar 2018, Alan Gates wrote:

> Date: Tue, 13 Mar 2018 18:04:08 +0100
> From: Alan Gates <alanfgates@gmail.com>
> To: general@incubator.apache.org
> Subject: Re: [VOTE]: Apache HAWQ 2.3.0.0-incubating Release
> 
> ‚ÄčI can't find a KEYS file anywhere in HAWQ to check the key
> against.  There is also no name associated with the key, so I'm not
> clear how to check the signature.

   Actually, you don't need a KEYS file to verify a .asc :

   % gpg apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
   gpg:                using RSA key CE60F90D1333092A
   gpg: Can't check signature: No public key

   No public key ; so, fetch it :

   % gpg --keyserver pgp.surfnet.nl --recv-key CE60F90D1333092A
   gpg: requesting key CE60F90D1333092A from hkp server pgp.surfnet.nl
   gpg: key CE60F90D1333092A: public key "Yi Jin <yjin@apache.org>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)

   ... and --verify :

   % gpg --verify apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
   gpg:                using RSA key CE60F90D1333092A
   gpg: Good signature from "Yi Jin <yjin@apache.org>"
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333 092A

   % gpg --verify apache-hawq-rpm-2.3.0.0-incubating-rc2.tar.gz.asc
   gpg: Signature made Tue 27 Feb 2018 04:38:53 AM CET
   gpg:                using RSA key CE60F90D1333092A
   gpg: Good signature from "Yi Jin <yjin@apache.org>"
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333 092A

   Note :
   - Always use long (16-hex) key-id's, because short (8-hex)
     key-id's often point (also) to fake keys.
     In your $HOME/.gnupg/gpg.conf configure : keyid-format long
   - To check that CE60F90D1333092A is authorised to sign the artifacts,
     is another matter.

   IMHO, KEYS files serve no purpose.

   Regards,

   Henk Penning

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

> On Mon, Mar 12, 2018 at 7:56 PM, Roman Shaposhnik <roman@shaposhnik.org>
> wrote:
>
>> +1 (binding)
>>
>> * checked sigs and checksums
>> * checked licenses
>> * checked for archive matching git tag
>>
>> Thanks,
>> Roman.
>>
>>
>> On Mon, Mar 12, 2018 at 12:21 PM, Konstantin Boudnik <cos@apache.org>
>> wrote:
>>> +1 [biding]
>>>
>>> - signature check [ok]
>>> - checksum check [ok]
>>> - licenses check (RAT) [ok]
>>>
>>> I haven't tried to build it because of the complexity of the build
>>> process and multiplicity of the environment configurations. To lower
>>> the entry barrier, I would recommend the community to think how to
>>> wrap these steps into the build system. You can go as far as to
>>> provide an "official" toolchain for the project. In Bigtop, we even
>>> provide official Docker containers were people can start working with
>>> the project in under 2 minutes and without any need for additional
>>> error prone configuration steps.
>>> --
>>>   With regards,
>>> Konstantin (Cos) Boudnik
>>> 2CAC 8312 4870 D885 8616  6115 220F 6980 1F27 E622
>>>
>>> Disclaimer: Opinions expressed in this email are those of the author,
>>> and do not necessarily represent the views of any company the author
>>> might be affiliated with at the moment of writing.
>>>
>>>
>>> On Tue, Mar 6, 2018 at 6:56 PM, Yi JIN <yjin@apache.org> wrote:
>>>> Hi IPMC members,
>>>>
>>>> The PPMC vote for the Apache HAWQ 2.3.0.0-incubating release has passed.
>>>> So I request IPMC now to vote on this release candidate. Thank you!
>>>>
>>>> The release page is here:
>>>> https://cwiki.apache.org/confluence/display/HAWQ/Apache+HAWQ+2.3.0.0-
>> incubating+Release
>>>>
>>>> The PPMC vote thread is located here:
>>>> https://lists.apache.org/thread.html/fa5b41cd7461bd729146e10d8f7a54
>> 156c818f93e5a1160c42e76c79@%3Cdev.hawq.apache.org%3E
>>>>
>>>> The artifacts can be downloaded here:
>>>> https://dist.apache.org/repos/dist/dev/incubator/hawq/2.3.0.
>> 0-incubating.RC2/
>>>> The artifacts have been signed with Key : CE60F90D1333092A
>>>>
>>>> All JIRAs completed for this release are tagged with 'FixVersion
>>>> =2.3.0.0-incubating'
>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>> version=12340262&styleName=Html&projectId=12318826
>>>>
>>>> Please vote accordingly:
>>>> [ ] +1, accept as the official Apache HAWQ 2.3.0.0-incubating release
>>>> [ ] -1, do not accept as the official Apache HAWQ 2.3.0.0-incubating
>> release
>>>> because...
>>>>
>>>> The vote will run for at least 72 hours.
>>>>
>>>> Best regards,
>>>> Yi Jin (yjin)
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>

Mime
View raw message