From dev-return-37971-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Wed Jun 27 09:40:51 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 591BA180625 for ; Wed, 27 Jun 2018 09:40:50 +0200 (CEST) Received: (qmail 89666 invoked by uid 500); 27 Jun 2018 07:40:49 -0000 Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@subversion.apache.org Received: (qmail 89656 invoked by uid 99); 27 Jun 2018 07:40:48 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2018 07:40:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id D6D9EC0C7A for ; Wed, 27 Jun 2018 07:40:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.411 X-Spam-Level: X-Spam-Status: No, score=-0.411 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id yeqySvbq5IXG for ; Wed, 27 Jun 2018 07:40:45 +0000 (UTC) Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 78E6E5FBCB for ; Wed, 27 Jun 2018 07:40:44 +0000 (UTC) Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id BE10D21048 for ; Wed, 27 Jun 2018 09:40:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1530085237; bh=wGBqyqGnQhqa+NLNbZ6/VNVqhcyjAeB1Z6UK3pnJmUM=; h=Subject:To:From:Date:From; b=pKutaUeGdDHLfar/uWNFMb1CMObjtq5xbKMPySPuSQb9yluEmLBgZOFnOxqf2Fg/w audAv6v+6xo29eJ+CN0dfHq4ypFXYL5zR8ir60ZtT79vXbVZ/MJmUdu84AW6Z8HI/d UYsxpRLw2M/MkotLePaOAJgPDpifl7xmcK9s7hUoIEBk7pNzzgXnyDvc9R43rG2YHL AQnoUbl38eK+XUCSAQ3kjmrYPo1nmilBHiAHcLlS16WHtc1XEzCs0nyxGZGaw25+kg +r/BmYLjEQByG3ugTnz4OhQ8PTpXmIVh3Waz6NOwPAyRRbSx82RY1V5JNwBowcsjBy XQWJKWzZPSbnA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 41Fvw45BRfz9rxK for ; Wed, 27 Jun 2018 09:40:36 +0200 (CEST) Subject: Re: change release signature requirements? To: dev@subversion.apache.org References: <20180624062057.GH79457@ted.stsp.name> From: Stefan Message-ID: <626c040b-e03c-b5d2-0adb-788cf3098f41@posteo.de> Date: Wed, 27 Jun 2018 09:40:36 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180624062057.GH79457@ted.stsp.name> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020707030603070306080600" This is a cryptographically signed message in MIME format. --------------ms020707030603070306080600 Content-Type: multipart/alternative; boundary="------------5A004172B086E2BE9E83179A" Content-Language: en-US This is a multi-part message in MIME format. --------------5A004172B086E2BE9E83179A Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 24/06/2018 08:20, Stefan Sperling wrote: > While we're on the subject of changing the supported release > process, we could use this opportunity to lower the number of > signatures required for a release. > > While we never failed to meet the current requirements eventually, > our release process could be faster if less signatures were required. > > My suggestion would be: > > ASF guidelines require a minimum of signatures from 3 different people > in total (including the release manager). To this, we could add our > requirement of cross-platform signatures, where at least one signature > must count for a Windows system, and at least one must count for a > Unix-like system. Of course, more than 3 signatures are always welcome.= > > We could also reserve an option for the RM to decide to publish a > release with 3 signatures for any platforms, based on the RM's > judgement of the situation (e.g. if a patch release only contained > code changes inside #ifdef WIN32, Unix signatures could be skipped). > > I believe this change would help us with meeting the new 6 months sched= ule. > > > I see *no* need to change our patch backport voting rules, by the way. +1 from my side as well. Maybe we'd still want to add a recommendation for the RM to at least stay with a certain minimum timeframe for the signing process however (maybe 3d-1w?). Not a requirement but rather a recommendation. The rational would be that this way anybody testing the release could plan that way as well, rather than feeling being pushed to drop everything else and having to rush signing/testing the release to be sure we don't miss some issues. If so, the wording in [1]=A0 could be: current: [...] Before a release is officially made public, it must receive three +1 votes from members of the Subversion PMC. In addition, as a matter of project policy (being revisited: see dev@ thread ), we require testing and signatures from at least three PMC members on /each/ of the major platforms we support: Windows and *nix. For -alpha and -beta releases, we still require at least one +1 vote on each major platform we support, but waive the requirement for three signers on each platform. (The requirement for at least three signers in total remains.) [...] (A list of the current public keys for members of the Subversion PMC is autogenerated from LDAP each day.) [...] new: [...] Before a release is officially made public, it must receive three +1 votes from members of the Subversion PMC. In addition, as a matter of project policy, we require testing and signatures from at least one PMC members on /each/ of the major platforms we support: Windows and *nix. [...] (A list of the current public keys for members of the Subversion PMC is autogenerated from LDAP each day.) The release manager is encouraged to wait at least 5 days for the signatures before rolling the release to allow anybody (planning to) test(ing) the release to complete signing the release before it's being rolled. [1] https://subversion.apache.org/docs/community-guide/releasing.html#tarball= -signing Regards, Stefan --------------5A004172B086E2BE9E83179A Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
On 24/06/2018 08:20, Stefan Sperling wrote:
While we're on the subject of changing the supported=
 release
process, we could use this opportunity to lower the number of
signatures required for a release.

While we never failed to meet the current requirements eventually,
our release process could be faster if less signatures were required.

My suggestion would be:

ASF guidelines require a minimum of signatures from 3 different people
in total (including the release manager). To this, we could add our
requirement of cross-platform signatures, where at least one signature
must count for a Windows system, and at least one must count for a
Unix-like system. Of course, more than 3 signatures are always welcome.

We could also reserve an option for the RM to decide to publish a
release with 3 signatures for any platforms, based on the RM's
judgement of the situation (e.g. if a patch release only contained
code changes inside #ifdef WIN32, Unix signatures could be skipped).

I believe this change would help us with meeting the new 6 months schedul=
e.


I see *no* need to change our patch backport voting rules, by the way.
+1 from my side as well.

Maybe we'd still want to add a recommendation for the RM to at least stay with a certain minimum timeframe for the signing process however (maybe 3d-1w?). Not a requirement but rather a recommendation. The rational would be that this way anybody testing the release could plan that way as well, rather than feeling being pushed to drop everything else and having to rush signing/testing the release to be sure we don't miss some issues.

If so, the wording in [1]=A0 could be:
current:
[...] Before a release is officially made public, it must receive three +1 votes from members of the Subversion PMC. In addition, as a matter of project policy (being revisited: see dev@= thread), we require testing and signatures from at least three PMC members on each of the major platforms we support: Windows and *nix. For -alpha and -beta releases, we still require at least one +1 vote on each major platform we support, but waive the requirement for three signers on each platform. (The requirement for at least three signers in total remains.) [...] (A list of the c= urrent public keys for members of the Subversion PMC is autogenerated from LDAP each day.) [...]
new:
[...] Before a release is officially made public, it must receive three +1 votes from members of the Subversion PMC. In addition, as a matter of project policy, we require testing and signatures from at least one PMC members on each of the major platforms we support: Windows and *nix. [...] (A list of the c= urrent public keys for members of the Subversion PMC is autogenerated from LDAP each day.)
The release manager is encouraged to wait at least 5 days for the signatures before rolling the release to allow anybody (planning to) test(ing) the release to complete signing the release before it's being rolled.

[1] https://subversion.a= pache.org/docs/community-guide/releasing.html#tarball-signing

Regards,
Stefan
--------------5A004172B086E2BE9E83179A-- --------------ms020707030603070306080600 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DZUwggY0MIIEHKADAgECAgMCoF8wDQYJKoZIhvcNAQENBQAwVDEUMBIGA1UEChMLQ0FjZXJ0 IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0 IENsYXNzIDMgUm9vdDAeFw0xNjExMjIwMTAxMDdaFw0xODExMjIwMTAxMDdaMIHGMRQwEgYD VQQDEwtTdGVmYW4gSGV0dDEhMB8GCSqGSIb3DQEJARYSbHVrZTE0MTBAcG9zdGVvLmRlMSQw IgYJKoZIhvcNAQkBFhVzdGVmYW4uaGV0dEBwb3N0ZW8uZGUxIjAgBgkqhkiG9w0BCQEWE2x1 a2UxNDEwQGFwYWNoZS5vcmcxHjAcBgkqhkiG9w0BCQEWD2x1a2UxNDEwQGdteC5kZTEhMB8G CSqGSIb3DQEJARYSc3RlZmFuLmhldHRAZ214LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0AmXHMqQ6uBpPpYdH5Fm1VKM1s8MUWy1OYSAZ+JnuBXfD1Yicmh4qrz96+Ra Nod/YJN5aJbQRUb0l/zS/YGhSCpTJWu91fUqU7/2juwmwSUzd83x9VbfjunxGyRvDpIva5CE wUV5PSUT4zY0IssYlYk0CBS0s+3wSTyqxaed1B0mifYbohxpXNtjZWSiWqiLbiXn9xZSWRG5 W3sR5JLN0oU5d/fC+Ldg6LgPgtp2Z2iZfzdQ6MFM6jKFEbH5GvYywm6mJ7DgI+X+X2cCUW9a iMTMz4hQxpUx041syOVmz2YPyzsli1cf2a5FDagwTsENplSRcy6QyH6Hg7xBe+RcAQIDAQAB o4IBmjCCAZYwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3du IGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5v cmcwDgYDVR0PAQH/BAQDAgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYB BAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF BQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8v Y3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9rZS5jcmwwbgYDVR0RBGcwZYESbHVrZTE0MTBA cG9zdGVvLmRlgRVzdGVmYW4uaGV0dEBwb3N0ZW8uZGWBE2x1a2UxNDEwQGFwYWNoZS5vcmeB D2x1a2UxNDEwQGdteC5kZYESc3RlZmFuLmhldHRAZ214LmRlMA0GCSqGSIb3DQEBDQUAA4IC AQBmyjbGw3rUtIzAXOM1DxO5oTNdzd17CHhU0dtT8AUoCR2y0yQVv95/tOSj0Hu3l5GQfDjK Norpw+efq8UzYYx07zUv0j3IU4NKuYxiQBGvIl9TJSJQ+rUgUBBUbGWqmxKduAHyRvwoJO9Z a3qqndEmetNfi0EsSrANtsJmgSP0noGbedHT44v+1Y3tsgKhdD18uLgDLMWbBy3kZiKxvzQ0 b2NsWS1frTbxPMZSPoLWooCuuvqnqMlUkG0CQ5+VGSe17JOHSVClIB/dj1YLabAbOMbjbUM7 KqMNatRbOGquX+4oqlDkRBym/RTPsc9/9E9t6/OfikUQkYwdRm8+1d3INIr+uA7ZzoBo/b+i jDC1iZlkMkKqcieHXYvCCc9Mym4gtp7Xe48SRGgbhUbx66d/RYobPuxEojpmMlBCiP0C/VM8 atNcA2pATnxJj1yE1C+LRItggHlp7O/BOeYbJXnUcY7Di6t2u/eslvhrX6hJEi2yONo+N89o dZNNZLuZB8+3MjJS8LaBXSC9sggisdGZgBdjNgm7vek3guufjpVLsNQRxRWD1mYjyOKfVMlS TDitDHMZsV6kPAf9HRd2ZafB6pYCabcCemwwk/IqJ/zkwzpk8rDkqZ3uRc2eP1Mkz2rb7F83 FF4EhIIcJxfMX4EDqWwih+Dhc34n4ed65yn1DDCCB1kwggVBoAMCAQICAwpBijANBgkqhkiG 9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0B CQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJa MFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol94fvrcpANdKGWZKuf oCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkBY8MPVuJKQs/iRIwlKKjFeQl9 RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J0b2qW42S0OzekMV/CsLj6+YxWl50Ppcz WejDAz1gM7/30W9HxM3uYoNSbi4ImqTZFRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq 1TuSfkyQBX6TwSyLpI5idBVxbgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqK T1inA62+tC4T7V2qSNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit 89Jbi6Bb6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5geoAmSAC4 AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyGkZlxmqZ3izRg0RS0 LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX76QIDAQABo4ICDTCCAgkwHQYD VR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MIGjBgNVHSMEgZswgZiAFBa1MhvUx/Pg5o7z vdKwOu6yORjRoX2kezB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3 LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkq hkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZ4IBADAPBgNVHRMBAf8EBTADAQH/MF0GCCsG AQUFBwEBBFEwTzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYB BQUHMAKGHGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEE AYGQSjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk PTEwMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk PTEwMFAGCWCGSAGG+EIBDQRDFkFUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZS RUUsIGdvIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAKSiF rkSpua+keRPwqKMrl2DzXO7jL8H24magEa42Nzp2FQRT6kL1+erAFdimgtnkYa5yCylckEPo QbLhd9sCE0R4R1WvWPzMmPZFudEg+NghB/5tqnPUs8YH6QmFzDvytr4sHCXVcYw5tS7qvhiB urCTuA/j5tcmjDFacgOEUuam9TMiRQrICw2KuDZvkAmhq73X1U4ucaLUrvqnVCvrNY1at1SI L+50n+1IFsoNSNCU06ykovYk35LjvetDQJFuHBiOVrSCEvOpk5/UvJytnHXuWpcbled0LRwP sCyXn/upMzl65wM6ko4i9owN5Nl+DXYY9wH575aWolVzwDxxtB0aVkO3wwqNcvziEAkLQc6M lKD5A/1xc0uKVzPljnR+FQEA5sxKHOd/lRktxaUMi7u17YWzXNPfuLnyyscNARSscFjFjI0z 1J1moxpQlSP8SOAGQxLZzaeGOS82cqOAEOTh89HLWxrA5ICafBNzBk/bo2skCrqzHLxKeLvl 43U4pUinoh6vdtRe9ziGVlqJztbDp3myUqDG8YW0JYzyP5azENmNbFc7n2+GOhiCIjbIsJE4 2yqhk6qEP/UnZa5z1cjV03fqS53HQbvHwOOgP+R9pI1z5hJL36Fzc3M6gOjVy44vy+oTp9ZB i6z6PInXJPVOtOBhkrfzN5jEvpajt4oxggM7MIIDNwIBATBbMFQxFDASBgNVBAoTC0NBY2Vy dCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2Vy dCBDbGFzcyAzIFJvb3QCAwKgXzANBglghkgBZQMEAgEFAKCCAbEwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwNjI3MDc0MDM2WjAvBgkqhkiG9w0BCQQx IgQgWV6gyUWLeh2HRsbGY12CTqGqUXu575i9+KUaLyOHrkYwagYJKwYBBAGCNxAEMV0wWzBU MRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3Jn MRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMCoF8wbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDBsBgsqhkiG9w0BCRACCzFd oFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAqBfMA0GCSqGSIb3DQEBAQUA BIIBAG4I+dF1ZjzGd/Eoo/RHV111XsAafypjAVy0xhc70d3U562Ln5eC7IhRB7EaSV0dv2aB ZtvSHCeG5Z+PGbGZx8EMcCBSkS57YgepzuzJw4qDTLQiQU+5OLAUlYMdvkzvDtQwYrwkPNv+ 67rv+9O4Mr5ROkQUOuexTm1xCIR6cbvxDo2TJkfd+83orPSg2W8ukxiiG2IgeAKZdLlFSl8I 0D6m19VOjb4izQOFnmz8nNCruoGQ8UY3LSJYR6rzsJYqql6i9Z8+/uNacbSdTwfj4HljvFAG AozP+mOCZPDoMjQ7hDmVj8ZI7r2+3bLTIz5zxAIigHdkDRgI1Pubj97uWp8AAAAAAAA= --------------ms020707030603070306080600--