You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Nathan Hartman <ha...@gmail.com> on 2022/04/01 06:22:32 UTC
Re: What to do about PGP KEYS for release?
tl;dr:
(1) Attached script to generate KEYS (I'll be happy to provide the
generated KEYS by request)
(2) dsahlberg, futatuki, jun66j5, kfogel: it can't find your key
Replies and details inline below...
On Thu, Mar 31, 2022 at 7:48 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>
> Mark Phippard wrote on Wed, Mar 30, 2022 at 08:01:32 -0400:
> > I am still a little unsure what to do about the KEYS file when we
> > produce this release.
Okay, so https://downloads.apache.org/subversion/ has the file KEYS,
which is a bit outdated (last modified 2020-07-03).
There's also subversion-${VERSION}.KEYS as danielsh explains in [1].
More below...
> > Our release.py script no longer works for whatever it used to do and
> > throws an error. I do not know if more errors will happen when I get
> > to the steps of publishing the release to /dist later on.
> >
> > I just updated my Apache LDAP with the fingerprint of my new key I
> > will use to sign the release.
> >
> > Is there anything here we can leverage?
> >
> > https://people.apache.org/keys/
danielsh wrote:
> I did post just a few days ago
> (<https://mail-archives.apache.org/mod_mbox/subversion-dev/202203.mbox/%3C20220323035056.GY7687%40tarpaulin.shahaf.local2%3E>)
> a piece of code that assembles a KEYS-like file from this URL…
So I took the above-mentioned "piece of code" and expanded it into a
script, attached as make-keys.sh.txt. Improvements welcome.
When I ran this script (just now):
[[[
svn-trunk$ ../make-keys.sh
Fetching https://people.apache.org/keys/committer/jimb.asc... MISSING
Fetching https://people.apache.org/keys/committer/sussman.asc... MISSING
Fetching https://people.apache.org/keys/committer/kfogel.asc... MISSING
Fetching https://people.apache.org/keys/committer/gstein.asc... OK
Fetching https://people.apache.org/keys/committer/brane.asc... OK
Fetching https://people.apache.org/keys/committer/jorton.asc... MISSING
Fetching https://people.apache.org/keys/committer/ghudson.asc... MISSING
Fetching https://people.apache.org/keys/committer/fitz.asc... OK
Fetching https://people.apache.org/keys/committer/daniel.asc... MISSING
Fetching https://people.apache.org/keys/committer/cmpilato.asc... OK
Fetching https://people.apache.org/keys/committer/philip.asc... OK
Fetching https://people.apache.org/keys/committer/jerenkrantz.asc... MISSING
Fetching https://people.apache.org/keys/committer/rooneg.asc... MISSING
Fetching https://people.apache.org/keys/committer/blair.asc... MISSING
Fetching https://people.apache.org/keys/committer/striker.asc... OK
Fetching https://people.apache.org/keys/committer/dlr.asc... MISSING
Fetching https://people.apache.org/keys/committer/mbk.asc... MISSING
Fetching https://people.apache.org/keys/committer/jaa.asc... MISSING
Fetching https://people.apache.org/keys/committer/julianfoad.asc... OK
Fetching https://people.apache.org/keys/committer/jszakmeister.asc... MISSING
Fetching https://people.apache.org/keys/committer/ehu.asc... MISSING
Fetching https://people.apache.org/keys/committer/breser.asc... OK
Fetching https://people.apache.org/keys/committer/maxb.asc... OK
Fetching https://people.apache.org/keys/committer/dberlin.asc... MISSING
Fetching https://people.apache.org/keys/committer/danderson.asc... MISSING
Fetching https://people.apache.org/keys/committer/djames.asc... MISSING
Fetching https://people.apache.org/keys/committer/pburba.asc... OK
Fetching https://people.apache.org/keys/committer/glasser.asc... MISSING
Fetching https://people.apache.org/keys/committer/lgo.asc... OK
Fetching https://people.apache.org/keys/committer/hwright.asc... OK
Fetching https://people.apache.org/keys/committer/vgeorgescu.asc... MISSING
Fetching https://people.apache.org/keys/committer/kameshj.asc... MISSING
Fetching https://people.apache.org/keys/committer/markphip.asc... OK
Fetching https://people.apache.org/keys/committer/arfrever.asc... MISSING
Fetching https://people.apache.org/keys/committer/stsp.asc... OK
Fetching https://people.apache.org/keys/committer/kou.asc... OK
Fetching https://people.apache.org/keys/committer/danielsh.asc... OK
Fetching https://people.apache.org/keys/committer/peters.asc... MISSING
Fetching https://people.apache.org/keys/committer/rhuijben.asc... OK
Fetching https://people.apache.org/keys/committer/stylesen.asc... OK
Fetching https://people.apache.org/keys/committer/steveking.asc... MISSING
Fetching https://people.apache.org/keys/committer/neels.asc... OK
Fetching https://people.apache.org/keys/committer/jwhitlock.asc... MISSING
Fetching https://people.apache.org/keys/committer/sbutler.asc... MISSING
Fetching https://people.apache.org/keys/committer/dannas.asc... MISSING
Fetching https://people.apache.org/keys/committer/stefan2.asc... OK
Fetching https://people.apache.org/keys/committer/jcorvel.asc... OK
Fetching https://people.apache.org/keys/committer/trent.asc... MISSING
Fetching https://people.apache.org/keys/committer/kotkov.asc... OK
Fetching https://people.apache.org/keys/committer/astieger.asc... OK
Fetching https://people.apache.org/keys/committer/jamessan.asc... OK
Fetching https://people.apache.org/keys/committer/luke1410.asc... OK
Fetching https://people.apache.org/keys/committer/troycurtisjr.asc... OK
Fetching https://people.apache.org/keys/committer/hartmannathan.asc... OK
Fetching https://people.apache.org/keys/committer/futatuki.asc... MISSING
Fetching https://people.apache.org/keys/committer/jun66j5.asc... MISSING
Fetching https://people.apache.org/keys/committer/dsahlberg.asc... MISSING
]]]
As you can see, the keys are MISSING for the following committers who
are participating in this release:
dsahlberg, futatuki, jun66j5, kfogel
Not sure what's going on... perhaps they should check and/or update
id.apache.org? Or upload their keys to a keyserver? Or is the above
committers directory out-of-date? I'm not sure.
Mark wrote:
> > Maybe someone can manually generate a KEYS file and send it to me to
> > include in the release? I imagine if I drop it in the folder with the
> > tarballs after I produce them the process will think that it is the
> > one it expects to have.
> >
> > Mark
Let me know if you'd like me to email you the KEYS file generated by
the attached script... The file is approx 1 MB in size.
Alternatively...
If you run the script yourself, I recommend to run it in an up-to-date
checkout of trunk, since COMMITTERS of branches/1.14.x and
branches/1.10.x do not contain some of the newer full committers.
References:
[1] The dev@ thread "Re: Questions on Release Management Process" on
22 Mar 2022, archived:
https://lists.apache.org/thread/sw2og65pxy3qj6cvogqnn3kj7rmmzdv3
or:
https://mail-archives.apache.org/mod_mbox/subversion-dev/202203.mbox/%3C20220323035056.GY7687%40tarpaulin.shahaf.local2%3E
Cheers,
Nathan
Re: What to do about PGP KEYS for release?
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, Apr 1, 2022 at 6:50 AM Mark Phippard <ma...@gmail.com> wrote:
> I was able to run the script without problem, so I think I am all set.
> The release.py script will still fail when it tries to download the
> KEYS but I am assuming that is the last step it does in that part of
> the process. Presumably if I then drop this file in to the folder it
> should be good from that point onward.
I found an easy solution here. After generating the KEYS file I copied
it to /tmp then I edited the release.py script and changed the URL it
uses to download the file to file:///tmp/KEYS.
This worked
Thanks
Mark
Re: What to do about PGP KEYS for release?
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, Apr 1, 2022 at 2:22 AM Nathan Hartman <ha...@gmail.com> wrote:
>
> tl;dr:
> (1) Attached script to generate KEYS (I'll be happy to provide the
> generated KEYS by request)
> (2) dsahlberg, futatuki, jun66j5, kfogel: it can't find your key
>
> Replies and details inline below...
>
> On Thu, Mar 31, 2022 at 7:48 PM Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> >
> > Mark Phippard wrote on Wed, Mar 30, 2022 at 08:01:32 -0400:
> > > I am still a little unsure what to do about the KEYS file when we
> > > produce this release.
>
> Okay, so https://downloads.apache.org/subversion/ has the file KEYS,
> which is a bit outdated (last modified 2020-07-03).
>
> There's also subversion-${VERSION}.KEYS as danielsh explains in [1].
>
> More below...
>
> > > Our release.py script no longer works for whatever it used to do and
> > > throws an error. I do not know if more errors will happen when I get
> > > to the steps of publishing the release to /dist later on.
> > >
> > > I just updated my Apache LDAP with the fingerprint of my new key I
> > > will use to sign the release.
> > >
> > > Is there anything here we can leverage?
> > >
> > > https://people.apache.org/keys/
>
> danielsh wrote:
>
> > I did post just a few days ago
> > (<https://mail-archives.apache.org/mod_mbox/subversion-dev/202203.mbox/%3C20220323035056.GY7687%40tarpaulin.shahaf.local2%3E>)
> > a piece of code that assembles a KEYS-like file from this URL…
>
> So I took the above-mentioned "piece of code" and expanded it into a
> script, attached as make-keys.sh.txt. Improvements welcome.
>
> When I ran this script (just now):
>
> [[[
>
> svn-trunk$ ../make-keys.sh
> Fetching https://people.apache.org/keys/committer/jimb.asc... MISSING
> Fetching https://people.apache.org/keys/committer/sussman.asc... MISSING
> Fetching https://people.apache.org/keys/committer/kfogel.asc... MISSING
> Fetching https://people.apache.org/keys/committer/gstein.asc... OK
> Fetching https://people.apache.org/keys/committer/brane.asc... OK
> Fetching https://people.apache.org/keys/committer/jorton.asc... MISSING
> Fetching https://people.apache.org/keys/committer/ghudson.asc... MISSING
> Fetching https://people.apache.org/keys/committer/fitz.asc... OK
> Fetching https://people.apache.org/keys/committer/daniel.asc... MISSING
> Fetching https://people.apache.org/keys/committer/cmpilato.asc... OK
> Fetching https://people.apache.org/keys/committer/philip.asc... OK
> Fetching https://people.apache.org/keys/committer/jerenkrantz.asc... MISSING
> Fetching https://people.apache.org/keys/committer/rooneg.asc... MISSING
> Fetching https://people.apache.org/keys/committer/blair.asc... MISSING
> Fetching https://people.apache.org/keys/committer/striker.asc... OK
> Fetching https://people.apache.org/keys/committer/dlr.asc... MISSING
> Fetching https://people.apache.org/keys/committer/mbk.asc... MISSING
> Fetching https://people.apache.org/keys/committer/jaa.asc... MISSING
> Fetching https://people.apache.org/keys/committer/julianfoad.asc... OK
> Fetching https://people.apache.org/keys/committer/jszakmeister.asc... MISSING
> Fetching https://people.apache.org/keys/committer/ehu.asc... MISSING
> Fetching https://people.apache.org/keys/committer/breser.asc... OK
> Fetching https://people.apache.org/keys/committer/maxb.asc... OK
> Fetching https://people.apache.org/keys/committer/dberlin.asc... MISSING
> Fetching https://people.apache.org/keys/committer/danderson.asc... MISSING
> Fetching https://people.apache.org/keys/committer/djames.asc... MISSING
> Fetching https://people.apache.org/keys/committer/pburba.asc... OK
> Fetching https://people.apache.org/keys/committer/glasser.asc... MISSING
> Fetching https://people.apache.org/keys/committer/lgo.asc... OK
> Fetching https://people.apache.org/keys/committer/hwright.asc... OK
> Fetching https://people.apache.org/keys/committer/vgeorgescu.asc... MISSING
> Fetching https://people.apache.org/keys/committer/kameshj.asc... MISSING
> Fetching https://people.apache.org/keys/committer/markphip.asc... OK
> Fetching https://people.apache.org/keys/committer/arfrever.asc... MISSING
> Fetching https://people.apache.org/keys/committer/stsp.asc... OK
> Fetching https://people.apache.org/keys/committer/kou.asc... OK
> Fetching https://people.apache.org/keys/committer/danielsh.asc... OK
> Fetching https://people.apache.org/keys/committer/peters.asc... MISSING
> Fetching https://people.apache.org/keys/committer/rhuijben.asc... OK
> Fetching https://people.apache.org/keys/committer/stylesen.asc... OK
> Fetching https://people.apache.org/keys/committer/steveking.asc... MISSING
> Fetching https://people.apache.org/keys/committer/neels.asc... OK
> Fetching https://people.apache.org/keys/committer/jwhitlock.asc... MISSING
> Fetching https://people.apache.org/keys/committer/sbutler.asc... MISSING
> Fetching https://people.apache.org/keys/committer/dannas.asc... MISSING
> Fetching https://people.apache.org/keys/committer/stefan2.asc... OK
> Fetching https://people.apache.org/keys/committer/jcorvel.asc... OK
> Fetching https://people.apache.org/keys/committer/trent.asc... MISSING
> Fetching https://people.apache.org/keys/committer/kotkov.asc... OK
> Fetching https://people.apache.org/keys/committer/astieger.asc... OK
> Fetching https://people.apache.org/keys/committer/jamessan.asc... OK
> Fetching https://people.apache.org/keys/committer/luke1410.asc... OK
> Fetching https://people.apache.org/keys/committer/troycurtisjr.asc... OK
> Fetching https://people.apache.org/keys/committer/hartmannathan.asc... OK
> Fetching https://people.apache.org/keys/committer/futatuki.asc... MISSING
> Fetching https://people.apache.org/keys/committer/jun66j5.asc... MISSING
> Fetching https://people.apache.org/keys/committer/dsahlberg.asc... MISSING
>
> ]]]
>
> As you can see, the keys are MISSING for the following committers who
> are participating in this release:
>
> dsahlberg, futatuki, jun66j5, kfogel
>
> Not sure what's going on... perhaps they should check and/or update
> id.apache.org? Or upload their keys to a keyserver? Or is the above
> committers directory out-of-date? I'm not sure.
>
> Mark wrote:
>
> > > Maybe someone can manually generate a KEYS file and send it to me to
> > > include in the release? I imagine if I drop it in the folder with the
> > > tarballs after I produce them the process will think that it is the
> > > one it expects to have.
> > >
> > > Mark
>
> Let me know if you'd like me to email you the KEYS file generated by
> the attached script... The file is approx 1 MB in size.
I was able to run the script without problem, so I think I am all set.
The release.py script will still fail when it tries to download the
KEYS but I am assuming that is the last step it does in that part of
the process. Presumably if I then drop this file in to the folder it
should be good from that point onward.
FWIW, my understanding is that this file is relevant to who signs this
release. So the fact that every committer is not included seems OK. If
any of them sign this release they would need to provide their key.
Also, since I had to generate a new key I got a ed25519 key. I assume
that will not be a problem anywhere.
Mark