mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ly Nguyen <nguyen...@gmail.com>
Subject Re: July 2017 Release
Date Fri, 14 Jul 2017 18:53:43 GMT
That's right. i agree. I will be including the SHA hashes.

On Fri, Jul 14, 2017 at 1:17 AM, Henri Yandell <henri@yandell.org> wrote:

> The release manager should upload their PGP key to public servers; however
> it doesn't need to be in the web of trust.
>
> +1 on SHAs being created; that shouldn't be difficult.
>
> (The SHAs give confidence that the mirrors are providing the right content;
> the PGP gives confidence that Apaches content hasn't been sneakily changed;
> the web of trust gives confidence that the release manager is trustworthy).
>
> The vote/review can start when an RC has been produced.
>
>
> On Thu, Jul 13, 2017 at 9:47 AM, Markus Weimer <markus@weimo.de> wrote:
>
> > Hi,
> >
> > thanks for sharing the plans! Is there a specific reason to skip the
> > SHA hashes? Much of the integrity of Apache releases stems from having
> > those SHAs in as many inboxes as possible, after all.
> >
> > Thanks,
> >
> > Markus
> >
> > On Tue, Jul 11, 2017 at 4:07 PM, Ly Nguyen <nguyenlyx@gmail.com> wrote:
> > > @mentors, we would like to hold a RC vote and release on Monday July
> > 17th.
> > >
> > >    - Are there any blockers (i.e., licenses)?
> > >    - Can you validate the proposal below?
> > >
> > >
> > > *PROPOSAL FOR JULY RELASE (version?):*
> > > *Start voting THIS week. Release on Monday July 17th.*
> > >
> > >    1. Create signing keys
> > >       1. SKIP web of trust linking and upload to public keyserver this
> > time
> > >    2. Create RC in
> > >    https://dist.apache.org/repos/dist/dev/incubator/podlingName
> > >       1. Currently missing a DISCLAIMER file - do we need that?
> > >       2. SKIP creating SHA checksum this time
> > >    3. Start a vote on dev@ list
> > >    4. svn mv RC to the release location
> > >
> > >
> > >
> > >
> > > *NOTES FROM DOCS FOR REFERENCE:*
> > > http://incubator.apache.org/guides/releasemanagement.html
> > >
> > >    - 3 +1 votes from IPMC members (these are the votes that count but
> we
> > >    should open up to the whole podling community)
> > >    - For podlings, 2 additional constraints:
> > >       - Release artifacts must include “incubating” in final file name
> > (ex:
> > >       apache-mxnet-src-0.10.1-incubating.tar.gz)
> > >       - Release artifacts must include disclaimer in the release
> > artifacts
> > >
> > >
> > >    - The Incubator PMC expects the source releases to be staged on
> > >    https://dist.apache.org/repos/dist/dev/incubator/podlingName so
> that
> > >    they can easily be moved to the release location via svn mv   (
> > >    http://www.apache.org/dist/incubator/)
> > >    - After graduating, RC’s go into https://dist.apache.org/repos/
> > dist/dev/
> > >    and official releases go into https://dist.apache.org/repos/
> > dist/release/
> > >
> > >
> > > http://incubator.apache.org/guides/branding.html#disclaimers
> > >
> > >    - Apache Press Team [http://www.apache.org/press/
> index.html#whoweare]
> > >    must review and coordinate releases for branding
> > >    - On website and in release DISCLAIMER file:
> > >    - Apache Podling-Name is an effort undergoing incubation at The
> Apache
> > >       Software Foundation (ASF), sponsored by the name of Apache TLP
> > sponsor.
> > >       Incubation is required of all newly accepted projects until a
> > further
> > >       review indicates that the infrastructure, communications, and
> > decision
> > >       making process have stabilized in a manner consistent with other
> > > successful
> > >       ASF projects. While incubation status is not necessarily a
> > reflection of
> > >       the completeness or stability of the code, it does indicate that
> > the
> > >       project has yet to be fully endorsed by the ASF.
> > >       - Website should include Apache Incubator logo:
> > >       http://incubator.apache.org/guides/press-kit.html
> > >
> > >
> > >    - Release should include:
> > >       - DISCLAIMER
> > >       - LICENSE
> > >       - NOTICE - attribution notices
> > >
> > >
> > > http://www.apache.org/legal/release-policy.html
> > >
> > >    - A release must contain source package which is cryptographically
> > >    signed by Release Manager with detached signature. It must be tested
> > prior
> > >    to voting for release.
> > >    - Release must only contain appropriately licensed code
> > >    - Please ensure you wait >=24 hours after uploading a release before
> > >    making announcements so mirrors catch up
> > >    - Releases of more than 1GB of artifacts require a heads-up to
> > >    Infrastructure in advance.
> > >    - Which directory for what build?
> > >    http://www.apache.org/legal/release-policy.html#build-directories
> > >
> > >
> > > http://www.apache.org/dev/release-distribution.html
> > >
> > >    - Artifacts MUST be accompanied by:
> > >       - apache-mxnet-src-0.10.1-incubating.asc - contains OpenPGP
> > >       compatible ASCII armored detached signature
> > >       - apache-mxnet-src-0.10.1-incubating.md5 - MD5 checksum
> > >       - apache-mxnet-src-0.10.1-incubating.sha - SHA checksum (SHOULD)
> > >    - Publish KEYS file in distribution directory root
> > >       - Signing keys MUST be published in KEYS file, SHOULD be
> available
> > in
> > >       global public keyserver
> > >       http://www.apache.org/dev/release-signing#keyserver, SHOULD be
> > linked
> > >       into web of trust
> > >       - Keys MUST be RSA & 4096 bits
> > >
> > >
> > > http://www.apache.org/dev/release-publishing.html
> > >
> > >    - Apache RAT can assist in checking license compliance
> > >    http://creadur.apache.org/rat/
> > >    - Eventually we should set up a build system to sign our releases
> with
> > >    cryptographic signatures. For now we’ll do it manually.
> > >
> > >
> > > http://www.apache.org/dev/release-signing.html
> > >
> > >    - Create a signature and sign releases as mentioned above
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message