You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ratis.apache.org by William Song <sz...@163.com> on 2023/03/15 12:55:22 UTC

[VOTE] Apache Ratis Thirdparty Release 1.0.4 rc0

Hi Apache Ratis Community,

I’m calling a vote for Apache Ratis Thirdparty Release 1.0.4 rc0.

The git tag to be voted upon:
https://github.com/apache/ratis-thirdparty/tree/1.0.4-rc0

The git commit hash:
eba95d9019473b825dfd555031e2a38c67efb266

Source tarball can be found at:
https://dist.apache.org/repos/dist/dev/ratis/thirdparty/1.0.4/rc0

The fingerprint of PGP key release artifacts are signed with:
DCE2 C33D 41C6 2578 969D BAFE 37D6 ECF8 4E78 BC92

My public key to verify signatures can be found in:
https://dist.apache.org/repos/dist/dev/ratis/KEYS

Maven artifacts are staged at:
https://repository.apache.org/content/repositories/orgapacheratis-1135

This vote will remain open for at lease 72 hours.
Please vote on releasing this ratis-thirdparty 1.0.4-rc0. Thank you in advance.

[ ] +1 approve
[ ]  0  no opinion
[ ] -1  disapprove (and reason why)


Starting with my +1(binding)
* Verified checksum, signature, git hash
* Compared tarball to repo at the given tag
* Built from source
* Built Ratis locally with 1.3.0-rc0 after updating component versions [1]
* Ran regular Ratis CI using the staged third-party jars [2]

Thanks,
-William

[1] https://github.com/SzyWilliam/ratis/commit/a0be4e888143f406ad04eed9d88c6d0c85ed1ed5
[2] https://github.com/SzyWilliam/ratis/actions/runs/4425429620

Re: [VOTE] Apache Ratis Thirdparty Release 1.0.4 rc0

Posted by William Song <sz...@163.com>.

Hi Attila,

Sorry that I used a wrong key to sign the artifacts. I’ll close this vote and start a new one.
Thanks very much for pointing out!

William

> 2023年3月16日 02:29，Attila Doroszlai <ad...@apache.org> 写道：
> 
> Hi William,
> 
> Thanks for working on the RC.
> 
>> The fingerprint of PGP key release artifacts are signed with:
>> DCE2 C33D 41C6 2578 969D BAFE 37D6 ECF8 4E78 BC92
>> 
>> My public key to verify signatures can be found in:
>> https://dist.apache.org/repos/dist/dev/ratis/KEYS
> 
> I have imported your key from KEYS:
> 
> $ curl -LO https://dist.apache.org/repos/dist/dev/ratis/KEYS
> $ gpg --import KEYS
> ...
> gpg: key 37D6ECF84E78BC92: public key "William Song (For Apache
> Project Release) <wi...@apache.org>" imported
> gpg: Total number processed: 11
> gpg:               imported: 1
> gpg:              unchanged: 10
> 
> But am unable to verify the signature of the tarball:
> 
> $ gpg --verify ratis-thirdparty-1.0.4-src.tar.gz.asc
> ratis-thirdparty-1.0.4-src.tar.gz
> gpg: Signature made Wed 15 Mar 2023 11:13:20 AM CET
> gpg:                using EDDSA key 8F534410776FEDBE953CA795B5306339B3621069
> gpg: Can't check signature: No public key
> 
> Am I missing something?
> 
> -Attila

Re: [VOTE] Apache Ratis Thirdparty Release 1.0.4 rc0

Posted by Attila Doroszlai <ad...@apache.org>.

Hi William,

Thanks for working on the RC.

> The fingerprint of PGP key release artifacts are signed with:
> DCE2 C33D 41C6 2578 969D BAFE 37D6 ECF8 4E78 BC92
>
> My public key to verify signatures can be found in:
> https://dist.apache.org/repos/dist/dev/ratis/KEYS

I have imported your key from KEYS:

$ curl -LO https://dist.apache.org/repos/dist/dev/ratis/KEYS
$ gpg --import KEYS
...
gpg: key 37D6ECF84E78BC92: public key "William Song (For Apache
Project Release) <wi...@apache.org>" imported
gpg: Total number processed: 11
gpg:               imported: 1
gpg:              unchanged: 10

But am unable to verify the signature of the tarball:

$ gpg --verify ratis-thirdparty-1.0.4-src.tar.gz.asc
ratis-thirdparty-1.0.4-src.tar.gz
gpg: Signature made Wed 15 Mar 2023 11:13:20 AM CET
gpg:                using EDDSA key 8F534410776FEDBE953CA795B5306339B3621069
gpg: Can't check signature: No public key

Am I missing something?

-Attila