oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Mattmann <mattm...@apache.org>
Subject Re: [VOTE] Apache OODT 1.1 Release Candidate #2
Date Mon, 24 Jul 2017 14:24:26 GMT
Hey Team,

Why should we maintain a separate KEYS file from the one I referenced at:

https://people.apache.org/keys/group/oodt.asc

That one is maintained automatically by collecting our GPG fingerprints from
id.apache.org? 

I can see for past releases, but how much do we think people are using anything
prior to OODT e.g., 0.7 or 0.8 and I would assert that between my key and Tom’s
key there haven’t been RM’s since then…

So, thoughts? It’s one less not automatically generated thing we have to manage…?

Cheers,
Chris



On 7/24/17, 5:10 AM, "Tom Barber" <tom.barber@meteorite.bi> wrote:

    Good catch Sean:
    
    bugg@tom-laptop2:~$ gpg  --verify apache-oodt-1.1-src.zip.asc
    gpg: assuming signed data in `apache-oodt-1.1-src.zip'
    gpg: Signature made Wed 19 Jul 2017 19:57:50 BST using RSA key ID 0C1E654B
    gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) <
    mattmann@apache.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the
    owner.
    Primary key fingerprint: F434 C970 B95A 6FCA 6FB9  0C45 4EAA F8B6 0C1E 654B
    bugg@tom-laptop2:~$
    
    The key works, but I think the KEYS file needs to be updated in the SVN
    repo per: https://www.apache.org/dev/release-signing.html#keys-policy
    
    For now I'm gonna say -1 unless updating KEYS isn't required.
    
    Tom
    
    
    
    
    On Mon, Jul 24, 2017 at 5:22 AM, Chris Mattmann <mattmann@apache.org> wrote:
    
    > I updated it in id.apache.org, which autogenerates [1], which should be
    > the
    > canonical source for our KEYS file. Give it a check in ~1 hour or so
    > should be
    > all good.
    >
    > Cheers,
    > Chris
    >
    >
    >
    > [1] https://people.apache.org/keys/group/oodt.asc
    >
    >
    >
    > On 7/23/17, 5:33 PM, "Sean Kelly" <kelly@apache.org> wrote:
    >
    >     That did the trick.
    >
    >     I'll be +1 if you also update the KEYS file.
    >
    >     Transcript:
    >
    >     fatalii 298 % date -u
    >     Mon Jul 24 00:32:49 UTC 2017
    >     fatalii 299 % gpg --verify apache-oodt-1.1-src.zip.asc
    >     gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA key ID
    > 0C1E654B
    >     gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016)
    >     <mattmann@apache.org>"
    >     gpg: WARNING: This key is not certified with a trusted signature!
    >     gpg:          There is no indication that the signature belongs to the
    >     owner.
    >     Primary key fingerprint: F434 C970 B95A 6FCA 6FB9  0C45 4EAA F8B6 0C1E
    > 654B
    >
    >
    >     --k
    >
    >
    >     Chris Mattmann wrote:
    >     > Hey Sean I think I have a new key on my Mac – can you check? I just
    > submitted the new
    >     > key to MIT keyserver, can you re-verify and see if that fixes it?
    >     >
    >     > Cheers,
    >     > Chris
    >     >
    >     >
    >     >
    >     >
    >     > On 7/23/17, 5:06 PM, "Sean Kelly"<kelly@apache.org>  wrote:
    >     >
    >     >      Hi folks:
    >     >
    >     >      I realize it's already 72 hours and we have the requisite 3 +1
    > votes,
    >     >      but I'm definitely in the -1 camp if this release was signed
    > with the
    >     >      wrong key.
    >     >
    >     >      I hope it's just user error on my end.
    >     >
    >     >      Take care
    >     >      --k
    >     >
    >     >      >  *From:* Sean Kelly<kelly@apache.org>
    >     >      >  *Date:* 2017-07-22 at 12.54 p
    >     >      >  *To:* dev@oodt.apache.org
    >     >      >  *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2
    >     >      >  Did anyone check the signature?
    >     >      >
    >     >      >  I'm getting an unknown RSA key 0C1E654B:
    >     >      >
    >     >      >  fatalii 278 % date -u
    >     >      >  Sat Jul 22 17:53:42 UTC 2017
    >     >      >  fatalii 279 % gpg --verify apache-oodt-1.1-src.zip.asc
    >     >      >  gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA
    > key ID 0C1E654B
    >     >      >  gpg: Can't check signature: No public key
    >     >      >
    >     >      >  --k
    >     >      >
    >     >      >  *From:* Chris Mattmann<mattmann@apache.org>
    >     >      >  *Date:* 2017-07-19 at 2.01 p
    >     >      >  *To:* dev@oodt.apache.org
    >     >      >  *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2
    >     >      >  Hi Folks,
    >     >      >
    >     >      >  I have posted a 2nd release candidate for the Apache OODT
    > 1.1 release. The
    >     >      >  source code is at:
    >     >      >
    >     >      >  https://dist.apache.org/repos/dist/dev/oodt/
    >     >      >
    >     >      >  For more detailed information, see the included CHANGES.txt
    > file for details on
    >     >      >  release contents and latest changes. The release was made
    > using the OODT
    >     >      >  release process, documented on the Wiki here:
    >     >      >
    >     >      >  https://cwiki.apache.org/confluence/display/OODT/
    > Release+Process
    >     >      >
    >     >      >  The release was made from the OODT 1.1 tag at:
    >     >      >
    >     >      >  https://github.com/apache/oodt/tree/1.1/
    >     >      >
    >     >      >  A staged Maven repository is available at:
    >     >      >
    >     >      >  https://repository.apache.org/content/repositories/
    > orgapacheoodt-1013/
    >     >      >
    >     >      >  Please vote on releasing these packages as Apache OODT 1.1.
    > The vote is
    >     >      >  open for at least the next 72 hours.
    >     >      >
    >     >      >  Only votes from OODT PMC are binding, but folks are welcome
    > to check the
    >     >      >  release candidate and voice their approval or disapproval.
    > The vote passes
    >     >      >  if at least three binding +1 votes are cast.
    >     >      >
    >     >      >  [ ] +1 Release the packages as Apache OODT 1.1
    >     >      >
    >     >      >  [ ] -1 Do not release the packages because...
    >     >      >
    >     >      >  Thanks!
    >     >      >
    >     >      >  Chris Mattmann
    >     >      >
    >     >      >  P.S. Here is my +1.
    >     >      >
    >     >      >
    >     >      >
    >     >
    >     >
    >     >
    >     >
    >
    >
    >
    >
    



Mime
View raw message