From dev-return-37971-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Wed Jun 27 09:40:51 2018
Return-Path:
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by mx-eu-01.ponee.io (Postfix) with SMTP id 591BA180625
for ; Wed, 27 Jun 2018 09:40:50 +0200 (CEST)
Received: (qmail 89666 invoked by uid 500); 27 Jun 2018 07:40:49 -0000
Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list dev@subversion.apache.org
Received: (qmail 89656 invoked by uid 99); 27 Jun 2018 07:40:48 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2018 07:40:48 +0000
Received: from localhost (localhost [127.0.0.1])
by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id D6D9EC0C7A
for ; Wed, 27 Jun 2018 07:40:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.411
X-Spam-Level:
X-Spam-Status: No, score=-0.411 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HTML_MESSAGE=2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001,
T_DKIMWL_WL_MED=-0.01] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=posteo.de
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
with ESMTP id yeqySvbq5IXG for ;
Wed, 27 Jun 2018 07:40:45 +0000 (UTC)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65])
by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 78E6E5FBCB
for ; Wed, 27 Jun 2018 07:40:44 +0000 (UTC)
Received: from submission (posteo.de [89.146.220.130])
by mout01.posteo.de (Postfix) with ESMTPS id BE10D21048
for ; Wed, 27 Jun 2018 09:40:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017;
t=1530085237; bh=wGBqyqGnQhqa+NLNbZ6/VNVqhcyjAeB1Z6UK3pnJmUM=;
h=Subject:To:From:Date:From;
b=pKutaUeGdDHLfar/uWNFMb1CMObjtq5xbKMPySPuSQb9yluEmLBgZOFnOxqf2Fg/w
audAv6v+6xo29eJ+CN0dfHq4ypFXYL5zR8ir60ZtT79vXbVZ/MJmUdu84AW6Z8HI/d
UYsxpRLw2M/MkotLePaOAJgPDpifl7xmcK9s7hUoIEBk7pNzzgXnyDvc9R43rG2YHL
AQnoUbl38eK+XUCSAQ3kjmrYPo1nmilBHiAHcLlS16WHtc1XEzCs0nyxGZGaw25+kg
+r/BmYLjEQByG3ugTnz4OhQ8PTpXmIVh3Waz6NOwPAyRRbSx82RY1V5JNwBowcsjBy
XQWJKWzZPSbnA==
Received: from customer (localhost [127.0.0.1])
by submission (posteo.de) with ESMTPSA id 41Fvw45BRfz9rxK
for ; Wed, 27 Jun 2018 09:40:36 +0200 (CEST)
Subject: Re: change release signature requirements?
To: dev@subversion.apache.org
References: <20180624062057.GH79457@ted.stsp.name>
From: Stefan
Message-ID: <626c040b-e03c-b5d2-0adb-788cf3098f41@posteo.de>
Date: Wed, 27 Jun 2018 09:40:36 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180624062057.GH79457@ted.stsp.name>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020707030603070306080600"
This is a cryptographically signed message in MIME format.
--------------ms020707030603070306080600
Content-Type: multipart/alternative;
boundary="------------5A004172B086E2BE9E83179A"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------5A004172B086E2BE9E83179A
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 24/06/2018 08:20, Stefan Sperling wrote:
> While we're on the subject of changing the supported release
> process, we could use this opportunity to lower the number of
> signatures required for a release.
>
> While we never failed to meet the current requirements eventually,
> our release process could be faster if less signatures were required.
>
> My suggestion would be:
>
> ASF guidelines require a minimum of signatures from 3 different people
> in total (including the release manager). To this, we could add our
> requirement of cross-platform signatures, where at least one signature
> must count for a Windows system, and at least one must count for a
> Unix-like system. Of course, more than 3 signatures are always welcome.=
>
> We could also reserve an option for the RM to decide to publish a
> release with 3 signatures for any platforms, based on the RM's
> judgement of the situation (e.g. if a patch release only contained
> code changes inside #ifdef WIN32, Unix signatures could be skipped).
>
> I believe this change would help us with meeting the new 6 months sched=
ule.
>
>
> I see *no* need to change our patch backport voting rules, by the way.
+1 from my side as well.
Maybe we'd still want to add a recommendation for the RM to at least
stay with a certain minimum timeframe for the signing process however
(maybe 3d-1w?). Not a requirement but rather a recommendation. The
rational would be that this way anybody testing the release could plan
that way as well, rather than feeling being pushed to drop everything
else and having to rush signing/testing the release to be sure we don't
miss some issues.
If so, the wording in [1]=A0 could be:
current:
[...] Before a release is officially made public, it must receive three
+1 votes from members of the Subversion PMC. In addition, as a matter of
project policy (being revisited: see dev@ thread
),
we require testing and signatures from at least three PMC members on
/each/ of the major platforms we support: Windows and *nix. For -alpha
and -beta releases, we still require at least one +1 vote on each major
platform we support, but waive the requirement for three signers on each
platform. (The requirement for at least three signers in total remains.)
[...] (A list of the current public keys
for members of
the Subversion PMC is autogenerated from LDAP each day.) [...]
new:
[...] Before a release is officially made public, it must receive three
+1 votes from members of the Subversion PMC. In addition, as a matter of
project policy, we require testing and signatures from at least one PMC
members on /each/ of the major platforms we support: Windows and *nix.
[...] (A list of the current public keys
for members of
the Subversion PMC is autogenerated from LDAP each day.)
The release manager is encouraged to wait at least 5 days for the
signatures before rolling the release to allow anybody (planning to)
test(ing) the release to complete signing the release before it's being
rolled.
[1]
https://subversion.apache.org/docs/community-guide/releasing.html#tarball=
-signing
Regards,
Stefan
--------------5A004172B086E2BE9E83179A
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 24/06/2018 08:20, Stefan Sperling
wrote:
While we're on the subject of changing the supported=
release
process, we could use this opportunity to lower the number of
signatures required for a release.
While we never failed to meet the current requirements eventually,
our release process could be faster if less signatures were required.
My suggestion would be:
ASF guidelines require a minimum of signatures from 3 different people
in total (including the release manager). To this, we could add our
requirement of cross-platform signatures, where at least one signature
must count for a Windows system, and at least one must count for a
Unix-like system. Of course, more than 3 signatures are always welcome.
We could also reserve an option for the RM to decide to publish a
release with 3 signatures for any platforms, based on the RM's
judgement of the situation (e.g. if a patch release only contained
code changes inside #ifdef WIN32, Unix signatures could be skipped).
I believe this change would help us with meeting the new 6 months schedul=
e.
I see *no* need to change our patch backport voting rules, by the way.
+1 from my side as well.
Maybe we'd still want to add a recommendation for the RM to at least
stay with a certain minimum timeframe for the signing process
however (maybe 3d-1w?). Not a requirement but rather a
recommendation. The rational would be that this way anybody testing
the release could plan that way as well, rather than feeling being
pushed to drop everything else and having to rush signing/testing
the release to be sure we don't miss some issues.
If so, the wording in [1]=A0 could be:
current:
[...] Before a release is officially made public, it must receive
three +1 votes
from members of the Subversion PMC. In addition, as a matter of
project
policy (being revisited: see
dev@=
thread),
we require testing and signatures from at least three PMC members on
each of the major platforms we support: Windows and *nix.
For -alpha and -beta releases, we still require at least one +1 vote
on each
major platform we support, but waive the requirement for three
signers on each platform. (The requirement for at least three
signers in total remains.) [...] (A list of the
c=
urrent
public keys for members of the Subversion PMC is autogenerated
from LDAP
each day.) [...]
new:
[...] Before a release is officially made public, it must receive
three +1 votes
from members of the Subversion PMC. In addition, as a matter of
project
policy,
we require testing and signatures from at least one PMC members on
each of the major platforms we support: Windows and *nix.
[...] (A list of the
c=
urrent
public keys for members of the Subversion PMC is autogenerated
from LDAP
each day.)
The release manager is encouraged to wait at least 5 days for the
signatures before rolling the release to allow anybody (planning to)
test(ing) the release to complete signing the release before it's
being rolled.
[1]
https://subversion.a=
pache.org/docs/community-guide/releasing.html#tarball-signing
Regards,
Stefan
--------------5A004172B086E2BE9E83179A--
--------------ms020707030603070306080600
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DZUwggY0MIIEHKADAgECAgMCoF8wDQYJKoZIhvcNAQENBQAwVDEUMBIGA1UEChMLQ0FjZXJ0
IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0
IENsYXNzIDMgUm9vdDAeFw0xNjExMjIwMTAxMDdaFw0xODExMjIwMTAxMDdaMIHGMRQwEgYD
VQQDEwtTdGVmYW4gSGV0dDEhMB8GCSqGSIb3DQEJARYSbHVrZTE0MTBAcG9zdGVvLmRlMSQw
IgYJKoZIhvcNAQkBFhVzdGVmYW4uaGV0dEBwb3N0ZW8uZGUxIjAgBgkqhkiG9w0BCQEWE2x1
a2UxNDEwQGFwYWNoZS5vcmcxHjAcBgkqhkiG9w0BCQEWD2x1a2UxNDEwQGdteC5kZTEhMB8G
CSqGSIb3DQEJARYSc3RlZmFuLmhldHRAZ214LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0AmXHMqQ6uBpPpYdH5Fm1VKM1s8MUWy1OYSAZ+JnuBXfD1Yicmh4qrz96+Ra
Nod/YJN5aJbQRUb0l/zS/YGhSCpTJWu91fUqU7/2juwmwSUzd83x9VbfjunxGyRvDpIva5CE
wUV5PSUT4zY0IssYlYk0CBS0s+3wSTyqxaed1B0mifYbohxpXNtjZWSiWqiLbiXn9xZSWRG5
W3sR5JLN0oU5d/fC+Ldg6LgPgtp2Z2iZfzdQ6MFM6jKFEbH5GvYywm6mJ7DgI+X+X2cCUW9a
iMTMz4hQxpUx041syOVmz2YPyzsli1cf2a5FDagwTsENplSRcy6QyH6Hg7xBe+RcAQIDAQAB
o4IBmjCCAZYwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3du
IGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5v
cmcwDgYDVR0PAQH/BAQDAgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYB
BAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF
BQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8v
Y3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9rZS5jcmwwbgYDVR0RBGcwZYESbHVrZTE0MTBA
cG9zdGVvLmRlgRVzdGVmYW4uaGV0dEBwb3N0ZW8uZGWBE2x1a2UxNDEwQGFwYWNoZS5vcmeB
D2x1a2UxNDEwQGdteC5kZYESc3RlZmFuLmhldHRAZ214LmRlMA0GCSqGSIb3DQEBDQUAA4IC
AQBmyjbGw3rUtIzAXOM1DxO5oTNdzd17CHhU0dtT8AUoCR2y0yQVv95/tOSj0Hu3l5GQfDjK
Norpw+efq8UzYYx07zUv0j3IU4NKuYxiQBGvIl9TJSJQ+rUgUBBUbGWqmxKduAHyRvwoJO9Z
a3qqndEmetNfi0EsSrANtsJmgSP0noGbedHT44v+1Y3tsgKhdD18uLgDLMWbBy3kZiKxvzQ0
b2NsWS1frTbxPMZSPoLWooCuuvqnqMlUkG0CQ5+VGSe17JOHSVClIB/dj1YLabAbOMbjbUM7
KqMNatRbOGquX+4oqlDkRBym/RTPsc9/9E9t6/OfikUQkYwdRm8+1d3INIr+uA7ZzoBo/b+i
jDC1iZlkMkKqcieHXYvCCc9Mym4gtp7Xe48SRGgbhUbx66d/RYobPuxEojpmMlBCiP0C/VM8
atNcA2pATnxJj1yE1C+LRItggHlp7O/BOeYbJXnUcY7Di6t2u/eslvhrX6hJEi2yONo+N89o
dZNNZLuZB8+3MjJS8LaBXSC9sggisdGZgBdjNgm7vek3guufjpVLsNQRxRWD1mYjyOKfVMlS
TDitDHMZsV6kPAf9HRd2ZafB6pYCabcCemwwk/IqJ/zkwzpk8rDkqZ3uRc2eP1Mkz2rb7F83
FF4EhIIcJxfMX4EDqWwih+Dhc34n4ed65yn1DDCCB1kwggVBoAMCAQICAwpBijANBgkqhkiG
9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0B
CQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJa
MFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol94fvrcpANdKGWZKuf
oCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkBY8MPVuJKQs/iRIwlKKjFeQl9
RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J0b2qW42S0OzekMV/CsLj6+YxWl50Ppcz
WejDAz1gM7/30W9HxM3uYoNSbi4ImqTZFRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq
1TuSfkyQBX6TwSyLpI5idBVxbgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqK
T1inA62+tC4T7V2qSNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit
89Jbi6Bb6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5geoAmSAC4
AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyGkZlxmqZ3izRg0RS0
LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX76QIDAQABo4ICDTCCAgkwHQYD
VR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MIGjBgNVHSMEgZswgZiAFBa1MhvUx/Pg5o7z
vdKwOu6yORjRoX2kezB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3
LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkq
hkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZ4IBADAPBgNVHRMBAf8EBTADAQH/MF0GCCsG
AQUFBwEBBFEwTzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYB
BQUHMAKGHGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEE
AYGQSjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk
PTEwMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk
PTEwMFAGCWCGSAGG+EIBDQRDFkFUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZS
RUUsIGdvIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAKSiF
rkSpua+keRPwqKMrl2DzXO7jL8H24magEa42Nzp2FQRT6kL1+erAFdimgtnkYa5yCylckEPo
QbLhd9sCE0R4R1WvWPzMmPZFudEg+NghB/5tqnPUs8YH6QmFzDvytr4sHCXVcYw5tS7qvhiB
urCTuA/j5tcmjDFacgOEUuam9TMiRQrICw2KuDZvkAmhq73X1U4ucaLUrvqnVCvrNY1at1SI
L+50n+1IFsoNSNCU06ykovYk35LjvetDQJFuHBiOVrSCEvOpk5/UvJytnHXuWpcbled0LRwP
sCyXn/upMzl65wM6ko4i9owN5Nl+DXYY9wH575aWolVzwDxxtB0aVkO3wwqNcvziEAkLQc6M
lKD5A/1xc0uKVzPljnR+FQEA5sxKHOd/lRktxaUMi7u17YWzXNPfuLnyyscNARSscFjFjI0z
1J1moxpQlSP8SOAGQxLZzaeGOS82cqOAEOTh89HLWxrA5ICafBNzBk/bo2skCrqzHLxKeLvl
43U4pUinoh6vdtRe9ziGVlqJztbDp3myUqDG8YW0JYzyP5azENmNbFc7n2+GOhiCIjbIsJE4
2yqhk6qEP/UnZa5z1cjV03fqS53HQbvHwOOgP+R9pI1z5hJL36Fzc3M6gOjVy44vy+oTp9ZB
i6z6PInXJPVOtOBhkrfzN5jEvpajt4oxggM7MIIDNwIBATBbMFQxFDASBgNVBAoTC0NBY2Vy
dCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2Vy
dCBDbGFzcyAzIFJvb3QCAwKgXzANBglghkgBZQMEAgEFAKCCAbEwGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwNjI3MDc0MDM2WjAvBgkqhkiG9w0BCQQx
IgQgWV6gyUWLeh2HRsbGY12CTqGqUXu575i9+KUaLyOHrkYwagYJKwYBBAGCNxAEMV0wWzBU
MRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3Jn
MRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMCoF8wbAYJKoZIhvcNAQkPMV8wXTAL
BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDBsBgsqhkiG9w0BCRACCzFd
oFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAqBfMA0GCSqGSIb3DQEBAQUA
BIIBAG4I+dF1ZjzGd/Eoo/RHV111XsAafypjAVy0xhc70d3U562Ln5eC7IhRB7EaSV0dv2aB
ZtvSHCeG5Z+PGbGZx8EMcCBSkS57YgepzuzJw4qDTLQiQU+5OLAUlYMdvkzvDtQwYrwkPNv+
67rv+9O4Mr5ROkQUOuexTm1xCIR6cbvxDo2TJkfd+83orPSg2W8ukxiiG2IgeAKZdLlFSl8I
0D6m19VOjb4izQOFnmz8nNCruoGQ8UY3LSJYR6rzsJYqql6i9Z8+/uNacbSdTwfj4HljvFAG
AozP+mOCZPDoMjQ7hDmVj8ZI7r2+3bLTIz5zxAIigHdkDRgI1Pubj97uWp8AAAAAAAA=
--------------ms020707030603070306080600--