incubator-lucy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: [lucy-dev] 0.1.0 release prep
Date Fri, 06 May 2011 23:40:25 GMT
On Fri, May 06, 2011 at 12:50:33PM -0700, Chris Hostetter wrote:
> Since Lucy has not had any releases to date, and has never publicly 
> advertised the existence of http://www.apache.org/dist/incubator/lucy/KEYS 
> (which currently has no keys in it) it would probably be a good idea if 
> Lucy just jumped in and started using the new infra managed key system 
> that was recently rolled out.

FYI, I just initialized the "lucy" dist directory and that KEYS file yesterday
so that the instructions for the RM in the ReleaseGuide wiki page would make
sense.

We have no investment in preserving the KEYS file.  Unless someone here
objects within the next day or so, I'll go zap it (after giving a heads-up on
#asfinfra in case that causes alarm bells to ring).

> As i understand it, the detailed docs are still being written, but all 
> committers should have recieved an email about it within the past week.  

There's been a flurry of activity today on the subject on (I think) the infra
list.  It seems that the new setup may not yet have all the kinks worked out.

Fortunately, Chris Mattmann has made many Apache releases and is as
well-prepared as anyone could be to move forward amid the untidyness.

For now, I've added a note to the relevant section of ReleaseGuide indicating
that the situation is in flux.  I'll update the page for real when proper
documentation appears to replace
<http://www.apache.org/dev/release-signing.html#keys-policy>.

> Committers can add their key details to their account info...
> 
> 	https://id.apache.org/
> 
> ...and that should automaticly get added to this generated keys file...
> 
> 	https://people.apache.org/keys/group/lucy.asc
> 
> ...which lives at a consistent URL that can be refrenced on the website, 
> and in README for verifying release signatures.

Right now there's no info in our README file about verifying signatures.  I
checked the following pages to see if I'd missed such a requirement, but came
up empty:

    http://www.apache.org/dev/release.html
    http://www.apache.org/dev/release-publishing.html
    http://www.apache.org/dev/release-signing.html
    http://www.apache.org/dev/openpgp.html
    http://www.apache.org/dev/release-download-pages.html

It looks like our soon-to-be-created "Downloads" web page is where this info
normally goes:

    http://www.apache.org/dev/release-download-pages.html#remind-users

My preference would be to include verification instructions on our "Downloads"
page, and possibly in a detached README file within our dist directory (like
<http://apache.cs.utah.edu/lucene/java/README.html>) but not within the
top-level README in the source tarball.  I'm a little concerned that confusion
might arise when we reuse that README unaltered in downstream distribution
archives such as the CPAN tarball -- clearly the signatures won't match up
against those tarballs/gemfiles/etc.  

In any case, I don't think we should block the release process waiting to
update our top-level README until infra gets the keys situation sorted out.

Cheers,

Marvin Humphrey


Mime
View raw message