[VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

["zhangliang@apache.org" <zh...@apache.org>]

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:
https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:
https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[zhaojun <zh...@126.com>]

+1

I have checked:

[OK] Download links are valid.
[OK] Checksums and PGP signatures are valid.
[OK] DISCLAIMER is included.
[OK] Source code artifacts have correct names matching the current release.
[OK] All files have license headers if necessary.
[OK] No compiled archives bundled in source archive.

------------------
Zhao Jun (cherrylzhao)
Apache ShardingSphere & ServiceComb

> On Dec 31, 2019, at 5:08 PM, Zonglei Dong <do...@apache.org> wrote:
> 
> +1
> 
> 
> The checklist:
> 
> 
> [ OK ] Download links are valid.
> [ OK ] Checksums and PGP signatures are valid.
> [ OK ] DISCLAIMER is included.
> [ OK ] Source code artifacts have correct names matching the current release.
> [ OK ] All files have license headers if necessary.
> [ OK ] No compiled archives bundled in source archive.
> 
> 
> Zonglei Dong
> Apache ShardingSphere
> 
> 
> On 12/31/2019 15:15，sunbufu<su...@apache.org> wrote：
> +1
> 
> 
> I have checked the following items.
> 
> 
> Checklist for reference:
> [v] Download links are valid.
> [v] Checksums and PGP signatures are valid.
> [v] DISCLAIMER is included.
> [v] Source code artifacts have correct names matching the current release.
> 
> 
> —————————
> Haisheng Sun (sunbufu)
> Apache ShardingSphere
> 
> 
> On 12/31/2019 11:16，Sion Yang<sc...@163.com> wrote：
> +1
> 
> 
> I checked the LICENSE, NOTICE, Checksums, PGP signatures and installing source code.
> 
> 
> No problem happened.
> 
> 
> --
> 
> Yi Yang(Sion)
> Apache ShardingSphere
> 
> 
> 
> At 2019-12-30 21:43:37, "zhangliang@apache.org" <zh...@apache.org> wrote:
> Hello ShardingSphere Community,
> 
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
> 
> Release notes:
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> 
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> 
> Maven 2 staging repository:
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> 
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> 
> Release Commit ID:
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> 
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> 
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
> 
> The vote will be open for at least 72 hours or until necessary number of
> votes are reached.
> 
> Please vote accordingly:
> 
> [ ] +1 approve
> 
> [ ] +0 no opinion
> 
> [ ] -1 disapprove with the reason
> 
> Checklist for reference:
> 
> [ ] Download links are valid.
> 
> [ ] Checksums and PGP signatures are valid.
> 
> [ ] DISCLAIMER is included.
> 
> [ ] Source code artifacts have correct names matching the current release.
> 
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> 
> [ ] All files have license headers if necessary.
> 
> [ ] No compiled archives bundled in source archive.
> 
> ------------------
> 
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo

Re:[VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Zonglei Dong <do...@apache.org>]

+1


The checklist:


[ OK ] Download links are valid.
[ OK ] Checksums and PGP signatures are valid.
[ OK ] DISCLAIMER is included.
[ OK ] Source code artifacts have correct names matching the current release.
[ OK ] All files have license headers if necessary.
[ OK ] No compiled archives bundled in source archive.


Zonglei Dong
Apache ShardingSphere


On 12/31/2019 15:15，sunbufu<su...@apache.org> wrote：
+1


I have checked the following items.


Checklist for reference:
[v] Download links are valid.
[v] Checksums and PGP signatures are valid.
[v] DISCLAIMER is included.
[v] Source code artifacts have correct names matching the current release.


—————————
Haisheng Sun (sunbufu)
Apache ShardingSphere


On 12/31/2019 11:16，Sion Yang<sc...@163.com> wrote：
+1


I checked the LICENSE, NOTICE, Checksums, PGP signatures and installing source code.


No problem happened.


--

Yi Yang(Sion)
Apache ShardingSphere



At 2019-12-30 21:43:37, "zhangliang@apache.org" <zh...@apache.org> wrote:
Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:
https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:
https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re:[VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[sunbufu <su...@apache.org>]

+1


I have checked the following items.


Checklist for reference:
[v] Download links are valid.
[v] Checksums and PGP signatures are valid.
[v] DISCLAIMER is included.
[v] Source code artifacts have correct names matching the current release.


—————————
Haisheng Sun (sunbufu)
Apache ShardingSphere


On 12/31/2019 11:16，Sion Yang<sc...@163.com> wrote：
+1


I checked the LICENSE, NOTICE, Checksums, PGP signatures and installing source code.


No problem happened.


--

Yi Yang(Sion)
Apache ShardingSphere



At 2019-12-30 21:43:37, "zhangliang@apache.org" <zh...@apache.org> wrote:
Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:
https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:
https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re:[VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sion Yang <sc...@163.com>]

+1


I checked the LICENSE, NOTICE, Checksums, PGP signatures and installing source code.


No problem happened.


--

Yi Yang(Sion)
Apache ShardingSphere



At 2019-12-30 21:43:37, "zhangliang@apache.org" <zh...@apache.org> wrote:
>Hello ShardingSphere Community,
>
>This is a call for vote to release Apache ShardingSphere (Incubating)
>version 4.0.0
>
>Release notes:
>https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
>The release candidates:
>https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
>Maven 2 staging repository:
>https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
>Git tag for the release:
>https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
>Release Commit ID:
>https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
>Keys to verify the Release Candidate:
>https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
>Look at here for how to verify this release candidate:
>https://shardingsphere.apache.org/community/en/contribute/release/
>
>The vote will be open for at least 72 hours or until necessary number of
>votes are reached.
>
>Please vote accordingly:
>
>[ ] +1 approve
>
>[ ] +0 no opinion
>
>[ ] -1 disapprove with the reason
>
>Checklist for reference:
>
>[ ] Download links are valid.
>
>[ ] Checksums and PGP signatures are valid.
>
>[ ] DISCLAIMER is included.
>
>[ ] Source code artifacts have correct names matching the current release.
>
>[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
>[ ] All files have license headers if necessary.
>
>[ ] No compiled archives bundled in source archive.
>
>------------------
>
>Liang Zhang (John)
>Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[guangyuan wang <wa...@apache.org>]

Hi

+1 approve.

I have checked the following items:

[+] Download links are valid.

[+] Checksums and PGP signatures are valid.

[+] DISCLAIMER is included.

[+] Source code artifacts have correct names matching the current release.

[+] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[+] All files have license headers if necessary.

[+] No compiled archives bundled in source archive.




Craig Russell <ap...@gmail.com> 于2020年1月3日周五 上午10:53写道：

> Hi,
>
> +1 (IPMC) can be carried over to general incubator release vote
>
> I checked:
>
> [x] incubating in names.
>
> [x] Download links are valid.
>
> [x] Checksums and PGP signatures are valid (I checked src)
>
> [x] DISCLAIMER is included.
>
> [x] Source code artifacts have correct names matching the current release.
>
> [x] LICENSE and NOTICE files are correct for src repo
>
> [x] mvn install completes with no errors
>
> Craig
>
> > On Dec 30, 2019, at 5:43 AM, zhangliang@apache.org wrote:
> >
> > Hello ShardingSphere Community,
> >
> > This is a call for vote to release Apache ShardingSphere (Incubating)
> > version 4.0.0
> >
> > Release notes:
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> >
> > The release candidates:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> >
> > Maven 2 staging repository:
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> >
> > Git tag for the release:
> > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> >
> > Release Commit ID:
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> >
> > Keys to verify the Release Candidate:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> >
> > Look at here for how to verify this release candidate:
> > https://shardingsphere.apache.org/community/en/contribute/release/
> >
> > The vote will be open for at least 72 hours or until necessary number of
> > votes are reached.
> >
> > Please vote accordingly:
> >
> > [ ] +1 approve
> >
> > [ ] +0 no opinion
> >
> > [ ] -1 disapprove with the reason
> >
> > Checklist for reference:
> >
> > [ ] Download links are valid.
> >
> > [ ] Checksums and PGP signatures are valid.
> >
> > [ ] DISCLAIMER is included.
> >
> > [ ] Source code artifacts have correct names matching the current
> release.
> >
> > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> >
> > [ ] All files have license headers if necessary.
> >
> > [ ] No compiled archives bundled in source archive.
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
>
> Craig L Russell
> clr@apache.org
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Craig Russell <ap...@gmail.com>]

Hi,

+1 (IPMC) can be carried over to general incubator release vote

I checked:

[x] incubating in names.

[x] Download links are valid.

[x] Checksums and PGP signatures are valid (I checked src)

[x] DISCLAIMER is included.

[x] Source code artifacts have correct names matching the current release.

[x] LICENSE and NOTICE files are correct for src repo

[x] mvn install completes with no errors

Craig

> On Dec 30, 2019, at 5:43 AM, zhangliang@apache.org wrote:
> 
> Hello ShardingSphere Community,
> 
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
> 
> Release notes:
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> 
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> 
> Maven 2 staging repository:
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> 
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> 
> Release Commit ID:
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> 
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> 
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
> 
> The vote will be open for at least 72 hours or until necessary number of
> votes are reached.
> 
> Please vote accordingly:
> 
> [ ] +1 approve
> 
> [ ] +0 no opinion
> 
> [ ] -1 disapprove with the reason
> 
> Checklist for reference:
> 
> [ ] Download links are valid.
> 
> [ ] Checksums and PGP signatures are valid.
> 
> [ ] DISCLAIMER is included.
> 
> [ ] Source code artifacts have correct names matching the current release.
> 
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> 
> [ ] All files have license headers if necessary.
> 
> [ ] No compiled archives bundled in source archive.
> 
> ------------------
> 
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo

Craig L Russell
clr@apache.org

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

["zhangliang@apache.org" <zh...@apache.org>]

Thank you for all participants, the vote had finished successfully, I will
send a new email to statistics the vote result.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Willem Jiang <wi...@gmail.com> 于2020年1月6日周一 上午8:56写道：

> +1 (binding)
>
> I checked
> Download links are valid, git tag is OK.
> The kits have incubating in the name.
> Checksums and PGP signatures are valid.
> DISCLAIMER is included.
> LICENSE and NOTICE files are good.
> No binary file in the source kit.
> I can build the kits from source kit.
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
> On Mon, Dec 30, 2019 at 9:44 PM zhangliang@apache.org
> <zh...@apache.org> wrote:
> >
> > Hello ShardingSphere Community,
> >
> > This is a call for vote to release Apache ShardingSphere (Incubating)
> > version 4.0.0
> >
> > Release notes:
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> >
> > The release candidates:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> >
> > Maven 2 staging repository:
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> >
> > Git tag for the release:
> > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> >
> > Release Commit ID:
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> >
> > Keys to verify the Release Candidate:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> >
> > Look at here for how to verify this release candidate:
> > https://shardingsphere.apache.org/community/en/contribute/release/
> >
> > The vote will be open for at least 72 hours or until necessary number of
> > votes are reached.
> >
> > Please vote accordingly:
> >
> > [ ] +1 approve
> >
> > [ ] +0 no opinion
> >
> > [ ] -1 disapprove with the reason
> >
> > Checklist for reference:
> >
> > [ ] Download links are valid.
> >
> > [ ] Checksums and PGP signatures are valid.
> >
> > [ ] DISCLAIMER is included.
> >
> > [ ] Source code artifacts have correct names matching the current
> release.
> >
> > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> >
> > [ ] All files have license headers if necessary.
> >
> > [ ] No compiled archives bundled in source archive.
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Willem Jiang <wi...@gmail.com>]

+1 (binding)

I checked
Download links are valid, git tag is OK.
The kits have incubating in the name.
Checksums and PGP signatures are valid.
DISCLAIMER is included.
LICENSE and NOTICE files are good.
No binary file in the source kit.
I can build the kits from source kit.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem
On Mon, Dec 30, 2019 at 9:44 PM zhangliang@apache.org
<zh...@apache.org> wrote:
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sheng Wu <wu...@gmail.com>]

Got it.

+1 binding

Checked
1. Incubating in names
2. Compiling pass.
3. GPG checked
4. sha512 exist
5. LICENSE and NOTICE exist.

Good luck and glad to see the stable release will be available soon

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月2日周四 下午12:38写道：

> Sorry, I can not find the old secret key, so we can not reuse the old
> public key for now.
> The only way is use the current key to check the gpg signature. Please
> reimport the `KEYS` file to validate the signature for now.
>
> It is unnecessary to re-release version. How about continue to vote on this
> thread?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Willem Jiang <wi...@gmail.com> 于2020年1月2日周四 下午12:08写道：
>
> > No, I don't think using the KEYS file can keep good track of the
> > public key, it doesn't support the revoke operation.
> > It's better to use the public Key server to host the public key and we
> > can know if the key is revoked or not.
> >
> >
> > Willem Jiang
> >
> > Twitter: willemjiang
> > Weibo: 姜宁willem
> >
> > On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:
> > >
> > > That means once one key was used for one release, it could not be
> > deleted from KEYS files anymore no matter it is great on or not, right?
> > >
> > >
> > >  Juan Pan (Trista)
> > >
> > > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > > E-mail: panjuan@apache.org
> > >
> > >
> > >
> > >
> > > On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
> > > If someone use the compromised private to sign a new release, we
> > > should be able to tell if the public key is revoked.
> > > If we just delete the key from the KEY file, it's hard to tell if the
> > > public key is valid or not.
> > >
> > > Willem Jiang
> > >
> > > Twitter: willemjiang
> > > Weibo: 姜宁willem
> > >
> > > On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:
> > >
> > > Hi Willem,
> > >
> > >
> > > Just for curiosity, if the old key was used for one release and now is
> > compromised, how about the release signed by this old and compromised
> key?
> > > Since this release exists in our release list and if anyone downloads
> it
> > from our website and intends to check it again with the bad key.
> > >
> > >
> > > Thanks, trista
> > >
> > >
> > > Juan Pan (Trista)
> > >
> > > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > > E-mail: panjuan@apache.org
> > >
> > >
> > >
> > >
> > > On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
> > > If the private key is compromised[1] or if we cannot find the private
> > > key, we should revoke the public KEY[2].
> > > Please keep your private key in a safe place.
> > >
> > > [1]
> >
> https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
> > > [3]
> >
> http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/
> > >
> > > Willem Jiang
> > >
> > > Twitter: willemjiang
> > > Weibo: 姜宁willem
> > >
> > > On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com>
> > wrote:
> > >
> > > You can't simply delete the old one. Because ShardingSphere has
> existing
> > > release based on that KEY :)
> > > We could still continue in this way, but it should not be recommended
> if
> > > your old key is still available.
> > >
> > > Sheng Wu 吴晟
> > > Twitter, wusheng1108
> > >
> > >
> > > Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
> > >
> > > Hi Liang,
> > >
> > >
> > > If you plan not to use the old one any more, deleting is is an
> > alternative
> > > to avoid confusion. If so, it is necessary to delete it in KEYS file
> and
> > > public key servers, IMO.
> > >
> > >
> > > Juan Pan (Trista)
> > >
> > > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > > E-mail: panjuan@apache.org
> > >
> > >
> > >
> > >
> > > On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> > > My concern is making people confused. The PGP could export and import
> > from
> > > the old laptop. You don't need a new one.
> > >
> > > Sheng Wu 吴晟
> > > Twitter, wusheng1108
> > >
> > >
> > > zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
> > >
> > > A question, why you have two pgp keys in the KEYS file?
> > >
> > > I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is
> for
> > > this version.
> > > Do you think we could remove the 1st one? because I will never use that
> > gpp
> > > key again, but do we need to keep it to make the 4.0.0-RC1 can be
> > validate?
> > >
> > > ------------------
> > >
> > > Liang Zhang (John)
> > > Apache ShardingSphere & Dubbo
> > >
> > >
> > > Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
> > >
> > > Hi Liang Zhang
> > >
> > > A question, why you have two pgp keys in the KEYS file?
> > >
> > > Sheng Wu 吴晟
> > > Twitter, wusheng1108
> > >
> > >
> > > zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
> > >
> > > Hello ShardingSphere Community,
> > >
> > > This is a call for vote to release Apache ShardingSphere (Incubating)
> > > version 4.0.0
> > >
> > > Release notes:
> > >
> > >
> > >
> > >
> > >
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> > >
> > > The release candidates:
> > > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> > >
> > > Maven 2 staging repository:
> > >
> > >
> > >
> > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> > >
> > > Git tag for the release:
> > > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> > >
> > > Release Commit ID:
> > >
> > >
> > >
> > >
> > >
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> > >
> > > Keys to verify the Release Candidate:
> > > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> > >
> > > Look at here for how to verify this release candidate:
> > > https://shardingsphere.apache.org/community/en/contribute/release/
> > >
> > > The vote will be open for at least 72 hours or until necessary number
> > > of
> > > votes are reached.
> > >
> > > Please vote accordingly:
> > >
> > > [ ] +1 approve
> > >
> > > [ ] +0 no opinion
> > >
> > > [ ] -1 disapprove with the reason
> > >
> > > Checklist for reference:
> > >
> > > [ ] Download links are valid.
> > >
> > > [ ] Checksums and PGP signatures are valid.
> > >
> > > [ ] DISCLAIMER is included.
> > >
> > > [ ] Source code artifacts have correct names matching the current
> > > release.
> > >
> > > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> > >
> > > [ ] All files have license headers if necessary.
> > >
> > > [ ] No compiled archives bundled in source archive.
> > >
> > > ------------------
> > >
> > > Liang Zhang (John)
> > > Apache ShardingSphere & Dubbo
> > >
> > >
> > >
> > >
> >
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Zhang Yonglun <zh...@apache.org>]

+1

Checked:

Download links are valid.
PGP checked.
DISCLAIMER is included.
LICENSE and NOTICE files are correct for each ShardingSphere repo.
All files have license headers if necessary.
mvn install succeed.

--

Zhang Yonglun
Apache ShardingSphere


Juan Pan <pa...@apache.org> 于2020年1月2日周四 下午6:44写道：

> +1, it is ok for me
>
>
> My check list,
>
> Download links are valid.
> Checksums and PGP signatures are valid.
> DISCLAIMER is included.
> LICENSE and NOTICE files are correct for each ShardingSphere repo.
> All files have license headers if necessary.
> Install source files successfully.
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 12:37，zhangliang@apache.org<zh...@apache.org> wrote：
> Sorry, I can not find the old secret key, so we can not reuse the old
> public key for now.
> The only way is use the current key to check the gpg signature. Please
> reimport the `KEYS` file to validate the signature for now.
>
> It is unnecessary to re-release version. How about continue to vote on this
> thread?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Willem Jiang <wi...@gmail.com> 于2020年1月2日周四 下午12:08写道：
>
> No, I don't think using the KEYS file can keep good track of the
> public key, it doesn't support the revoke operation.
> It's better to use the public Key server to host the public key and we
> can know if the key is revoked or not.
>
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:
>
> That means once one key was used for one release, it could not be
> deleted from KEYS files anymore no matter it is great on or not, right?
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
> If someone use the compromised private to sign a new release, we
> should be able to tell if the public key is revoked.
> If we just delete the key from the KEY file, it's hard to tell if the
> public key is valid or not.
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:
>
> Hi Willem,
>
>
> Just for curiosity, if the old key was used for one release and now is
> compromised, how about the release signed by this old and compromised key?
> Since this release exists in our release list and if anyone downloads it
> from our website and intends to check it again with the bad key.
>
>
> Thanks, trista
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
> If the private key is compromised[1] or if we cannot find the private
> key, we should revoke the public KEY[2].
> Please keep your private key in a safe place.
>
> [1]
>
> https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
> [3]
>
> http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com>
> wrote:
>
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an
> alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import
> from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that
> gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be
> validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

+1, it is ok for me


My check list,

Download links are valid.
Checksums and PGP signatures are valid.
DISCLAIMER is included.
LICENSE and NOTICE files are correct for each ShardingSphere repo.
All files have license headers if necessary.
Install source files successfully.


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 12:37，zhangliang@apache.org<zh...@apache.org> wrote：
Sorry, I can not find the old secret key, so we can not reuse the old
public key for now.
The only way is use the current key to check the gpg signature. Please
reimport the `KEYS` file to validate the signature for now.

It is unnecessary to re-release version. How about continue to vote on this
thread?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Willem Jiang <wi...@gmail.com> 于2020年1月2日周四 下午12:08写道：

No, I don't think using the KEYS file can keep good track of the
public key, it doesn't support the revoke operation.
It's better to use the public Key server to host the public key and we
can know if the key is revoked or not.


Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:

That means once one key was used for one release, it could not be
deleted from KEYS files anymore no matter it is great on or not, right?


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
If someone use the compromised private to sign a new release, we
should be able to tell if the public key is revoked.
If we just delete the key from the KEY file, it's hard to tell if the
public key is valid or not.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:

Hi Willem,


Just for curiosity, if the old key was used for one release and now is
compromised, how about the release signed by this old and compromised key?
Since this release exists in our release list and if anyone downloads it
from our website and intends to check it again with the bad key.


Thanks, trista


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.

[1]
https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
[3]
http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com>
wrote:

You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an
alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import
from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that
gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be
validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:





https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:





https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:





https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

["zhangliang@apache.org" <zh...@apache.org>]

Sorry, I can not find the old secret key, so we can not reuse the old
public key for now.
The only way is use the current key to check the gpg signature. Please
reimport the `KEYS` file to validate the signature for now.

It is unnecessary to re-release version. How about continue to vote on this
thread?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Willem Jiang <wi...@gmail.com> 于2020年1月2日周四 下午12:08写道：

> No, I don't think using the KEYS file can keep good track of the
> public key, it doesn't support the revoke operation.
> It's better to use the public Key server to host the public key and we
> can know if the key is revoked or not.
>
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:
> >
> > That means once one key was used for one release, it could not be
> deleted from KEYS files anymore no matter it is great on or not, right?
> >
> >
> >  Juan Pan (Trista)
> >
> > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > E-mail: panjuan@apache.org
> >
> >
> >
> >
> > On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
> > If someone use the compromised private to sign a new release, we
> > should be able to tell if the public key is revoked.
> > If we just delete the key from the KEY file, it's hard to tell if the
> > public key is valid or not.
> >
> > Willem Jiang
> >
> > Twitter: willemjiang
> > Weibo: 姜宁willem
> >
> > On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:
> >
> > Hi Willem,
> >
> >
> > Just for curiosity, if the old key was used for one release and now is
> compromised, how about the release signed by this old and compromised key?
> > Since this release exists in our release list and if anyone downloads it
> from our website and intends to check it again with the bad key.
> >
> >
> > Thanks, trista
> >
> >
> > Juan Pan (Trista)
> >
> > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > E-mail: panjuan@apache.org
> >
> >
> >
> >
> > On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
> > If the private key is compromised[1] or if we cannot find the private
> > key, we should revoke the public KEY[2].
> > Please keep your private key in a safe place.
> >
> > [1]
> https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
> > [3]
> http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/
> >
> > Willem Jiang
> >
> > Twitter: willemjiang
> > Weibo: 姜宁willem
> >
> > On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com>
> wrote:
> >
> > You can't simply delete the old one. Because ShardingSphere has existing
> > release based on that KEY :)
> > We could still continue in this way, but it should not be recommended if
> > your old key is still available.
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
> >
> > Hi Liang,
> >
> >
> > If you plan not to use the old one any more, deleting is is an
> alternative
> > to avoid confusion. If so, it is necessary to delete it in KEYS file and
> > public key servers, IMO.
> >
> >
> > Juan Pan (Trista)
> >
> > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > E-mail: panjuan@apache.org
> >
> >
> >
> >
> > On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> > My concern is making people confused. The PGP could export and import
> from
> > the old laptop. You don't need a new one.
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
> >
> > A question, why you have two pgp keys in the KEYS file?
> >
> > I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> > this version.
> > Do you think we could remove the 1st one? because I will never use that
> gpp
> > key again, but do we need to keep it to make the 4.0.0-RC1 can be
> validate?
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
> >
> >
> > Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
> >
> > Hi Liang Zhang
> >
> > A question, why you have two pgp keys in the KEYS file?
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
> >
> > Hello ShardingSphere Community,
> >
> > This is a call for vote to release Apache ShardingSphere (Incubating)
> > version 4.0.0
> >
> > Release notes:
> >
> >
> >
> >
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> >
> > The release candidates:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> >
> > Maven 2 staging repository:
> >
> >
> >
> >
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> >
> > Git tag for the release:
> > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> >
> > Release Commit ID:
> >
> >
> >
> >
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> >
> > Keys to verify the Release Candidate:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> >
> > Look at here for how to verify this release candidate:
> > https://shardingsphere.apache.org/community/en/contribute/release/
> >
> > The vote will be open for at least 72 hours or until necessary number
> > of
> > votes are reached.
> >
> > Please vote accordingly:
> >
> > [ ] +1 approve
> >
> > [ ] +0 no opinion
> >
> > [ ] -1 disapprove with the reason
> >
> > Checklist for reference:
> >
> > [ ] Download links are valid.
> >
> > [ ] Checksums and PGP signatures are valid.
> >
> > [ ] DISCLAIMER is included.
> >
> > [ ] Source code artifacts have correct names matching the current
> > release.
> >
> > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> >
> > [ ] All files have license headers if necessary.
> >
> > [ ] No compiled archives bundled in source archive.
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
> >
> >
> >
> >
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

Thanks for your explanation, Willem. 


Let me make it clear, my concern is that a public key ever signed for one release, and now this key is compromised, and although this key is in KEYS file, it could not work well. 
Therefore we could not use it for verify the integrity of old release in [1] anymore. 


On the one hand, we keep this key in KEY file, people would get the wrong information when verifying this legacy release, for it is a bad key; On the other hand, if we delete if from KEY file, people could not verify this release either.


So, if Liang could not use the old key for some reason anymore, he has to keep the old one well for previous release verification, and to create a new one for the coming release in the meantime. Is it right?


[1] https://www.apache.org/dyn/closer.cgi#verify


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 12:08，Willem Jiang<wi...@gmail.com> wrote：
No, I don't think using the KEYS file can keep good track of the
public key, it doesn't support the revoke operation.
It's better to use the public Key server to host the public key and we
can know if the key is revoked or not.


Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:

That means once one key was used for one release, it could not be deleted from KEYS files anymore no matter it is great on or not, right?


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
If someone use the compromised private to sign a new release, we
should be able to tell if the public key is revoked.
If we just delete the key from the KEY file, it's hard to tell if the
public key is valid or not.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:

Hi Willem,


Just for curiosity, if the old key was used for one release and now is compromised, how about the release signed by this old and compromised key?
Since this release exists in our release list and if anyone downloads it from our website and intends to check it again with the bad key.


Thanks, trista


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.

[1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
[3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:

You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:




https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:




https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:




https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Willem Jiang <wi...@gmail.com>]

No, I don't think using the KEYS file can keep good track of the
public key, it doesn't support the revoke operation.
It's better to use the public Key server to host the public key and we
can know if the key is revoked or not.


Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 12:04 PM Juan Pan <pa...@apache.org> wrote:
>
> That means once one key was used for one release, it could not be deleted from KEYS files anymore no matter it is great on or not, right?
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
> If someone use the compromised private to sign a new release, we
> should be able to tell if the public key is revoked.
> If we just delete the key from the KEY file, it's hard to tell if the
> public key is valid or not.
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:
>
> Hi Willem,
>
>
> Just for curiosity, if the old key was used for one release and now is compromised, how about the release signed by this old and compromised key?
> Since this release exists in our release list and if anyone downloads it from our website and intends to check it again with the bad key.
>
>
> Thanks, trista
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
> If the private key is compromised[1] or if we cannot find the private
> key, we should revoke the public KEY[2].
> Please keep your private key in a safe place.
>
> [1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
> [3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:
>
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

That means once one key was used for one release, it could not be deleted from KEYS files anymore no matter it is great on or not, right?


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 12:00，Willem Jiang<wi...@gmail.com> wrote：
If someone use the compromised private to sign a new release, we
should be able to tell if the public key is revoked.
If we just delete the key from the KEY file, it's hard to tell if the
public key is valid or not.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:

Hi Willem,


Just for curiosity, if the old key was used for one release and now is compromised, how about the release signed by this old and compromised key?
Since this release exists in our release list and if anyone downloads it from our website and intends to check it again with the bad key.


Thanks, trista


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.

[1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
[3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:

You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:




https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:




https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:




https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Willem Jiang <wi...@gmail.com>]

If someone use the compromised private to sign a new release, we
should be able to tell if the public key is revoked.
If we just delete the key from the KEY file, it's hard to tell if the
public key is valid or not.

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 11:55 AM Juan Pan <pa...@apache.org> wrote:
>
> Hi Willem,
>
>
> Just for curiosity, if the old key was used for one release and now is compromised, how about the release signed by this old and compromised key?
> Since this release exists in our release list and if anyone downloads it from our website and intends to check it again with the bad key.
>
>
> Thanks, trista
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
> If the private key is compromised[1] or if we cannot find the private
> key, we should revoke the public KEY[2].
> Please keep your private key in a safe place.
>
> [1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
> [3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:
>
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

Hi Willem,


Just for curiosity, if the old key was used for one release and now is compromised, how about the release signed by this old and compromised key? 
Since this release exists in our release list and if anyone downloads it from our website and intends to check it again with the bad key.


Thanks, trista


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 11:29，Willem Jiang<wi...@gmail.com> wrote：
If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.

[1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
[3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:

You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:




https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:




https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:




https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Willem Jiang <wi...@gmail.com>]

If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.

[1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
[3]http://blog.chapagain.com.np/gpg-revoking-your-public-key-and-notifiying-key-server/

Willem Jiang

Twitter: willemjiang
Weibo: 姜宁willem

On Thu, Jan 2, 2020 at 10:21 AM Sheng Wu <wu...@gmail.com> wrote:
>
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> > Hi Liang,
> >
> >
> > If you plan not to use the old one any more, deleting is is an alternative
> > to avoid confusion. If so, it is necessary to delete it in KEYS file and
> > public key servers, IMO.
> >
> >
> >  Juan Pan (Trista)
> >
> > Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> > E-mail: panjuan@apache.org
> >
> >
> >
> >
> > On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> > My concern is making people confused. The PGP could export and import from
> > the old laptop. You don't need a new one.
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
> >
> > A question, why you have two pgp keys in the KEYS file?
> >
> > I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> > this version.
> > Do you think we could remove the 1st one? because I will never use that gpp
> > key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
> >
> >
> > Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
> >
> > Hi Liang Zhang
> >
> > A question, why you have two pgp keys in the KEYS file?
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
> >
> > Hello ShardingSphere Community,
> >
> > This is a call for vote to release Apache ShardingSphere (Incubating)
> > version 4.0.0
> >
> > Release notes:
> >
> >
> >
> >
> > https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> >
> > The release candidates:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> >
> > Maven 2 staging repository:
> >
> >
> >
> >
> > https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> >
> > Git tag for the release:
> > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> >
> > Release Commit ID:
> >
> >
> >
> >
> > https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> >
> > Keys to verify the Release Candidate:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> >
> > Look at here for how to verify this release candidate:
> > https://shardingsphere.apache.org/community/en/contribute/release/
> >
> > The vote will be open for at least 72 hours or until necessary number
> > of
> > votes are reached.
> >
> > Please vote accordingly:
> >
> > [ ] +1 approve
> >
> > [ ] +0 no opinion
> >
> > [ ] -1 disapprove with the reason
> >
> > Checklist for reference:
> >
> > [ ] Download links are valid.
> >
> > [ ] Checksums and PGP signatures are valid.
> >
> > [ ] DISCLAIMER is included.
> >
> > [ ] Source code artifacts have correct names matching the current
> > release.
> >
> > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> >
> > [ ] All files have license headers if necessary.
> >
> > [ ] No compiled archives bundled in source archive.
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
> >
> >
> >
> >

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

["zhangliang@apache.org" <zh...@apache.org>]

Sure, 2 same usernames will make the checker confuse.
I prefer to re-release again for round 3 and just make sure one release
manager only have a single gpg signature.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午11:12写道：

> Very appreciated Sheng, make sense.
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 11:09，Sheng Wu<wu...@gmail.com> wrote：
> Yes, because the verification is introduced on the official website,
> download page, right? If we delete it, users will fail when we do the
> verification.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午11:03写道：
>
> Hi Sheng,
>
>
> Thanks for your correction.
> Just confirm, the key point is that the old key for 4.0.0-RC1 release
> which passed the release vote but exists in our release list now could not
> be deleted, right? In other words, only one certain release exists, the key
> used for which must exist？
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 10:21，Sheng Wu<wu...@gmail.com> wrote：
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

Very appreciated Sheng, make sense.


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 11:09，Sheng Wu<wu...@gmail.com> wrote：
Yes, because the verification is introduced on the official website,
download page, right? If we delete it, users will fail when we do the
verification.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午11:03写道：

Hi Sheng,


Thanks for your correction.
Just confirm, the key point is that the old key for 4.0.0-RC1 release
which passed the release vote but exists in our release list now could not
be deleted, right? In other words, only one certain release exists, the key
used for which must exist？


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 10:21，Sheng Wu<wu...@gmail.com> wrote：
You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:





https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:





https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:





https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sheng Wu <wu...@gmail.com>]

Yes, because the verification is introduced on the official website,
download page, right? If we delete it, users will fail when we do the
verification.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午11:03写道：

> Hi Sheng,
>
>
> Thanks for your correction.
> Just confirm, the key point is that the old key for 4.0.0-RC1 release
> which passed the release vote but exists in our release list now could not
> be deleted, right? In other words, only one certain release exists, the key
> used for which must exist？
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/2/2020 10:21，Sheng Wu<wu...@gmail.com> wrote：
> You can't simply delete the old one. Because ShardingSphere has existing
> release based on that KEY :)
> We could still continue in this way, but it should not be recommended if
> your old key is still available.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：
>
> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
> Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

Hi Sheng,


Thanks for your correction. 
Just confirm, the key point is that the old key for 4.0.0-RC1 release which passed the release vote but exists in our release list now could not be deleted, right? In other words, only one certain release exists, the key used for which must exist？


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/2/2020 10:21，Sheng Wu<wu...@gmail.com> wrote：
You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative
to avoid confusion. If so, it is necessary to delete it in KEYS file and
public key servers, IMO.


Juan Pan (Trista)

Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:




https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:




https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:




https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sheng Wu <wu...@gmail.com>]

You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.

Sheng Wu 吴晟
Twitter, wusheng1108


Juan Pan <pa...@apache.org> 于2020年1月2日周四 上午10:18写道：

> Hi Liang,
>
>
> If you plan not to use the old one any more, deleting is is an alternative
> to avoid confusion. If so, it is necessary to delete it in KEYS file and
> public key servers, IMO.
>
>
>  Juan Pan (Trista)
>
> Senior DBA & PPMC of Apache ShardingSphere(Incubating)
> E-mail: panjuan@apache.org
>
>
>
>
> On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
> My concern is making people confused. The PGP could export and import from
> the old laptop. You don't need a new one.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：
>
> A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
>
>
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
>
>
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number
> of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current
> release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
>
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Juan Pan <pa...@apache.org>]

Hi Liang,


If you plan not to use the old one any more, deleting is is an alternative to avoid confusion. If so, it is necessary to delete it in KEYS file and public key servers, IMO.


 Juan Pan (Trista) 
                         
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panjuan@apache.org




On 01/1/2020 21:26，Sheng Wu<wu...@gmail.com> wrote：
My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

Hello ShardingSphere Community,

This is a call for vote to release Apache ShardingSphere (Incubating)
version 4.0.0

Release notes:



https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md

The release candidates:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/

Maven 2 staging repository:



https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/

Git tag for the release:
https://github.com/apache/incubator-shardingsphere/tree/4.0.0/

Release Commit ID:



https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9

Keys to verify the Release Candidate:
https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS

Look at here for how to verify this release candidate:
https://shardingsphere.apache.org/community/en/contribute/release/

The vote will be open for at least 72 hours or until necessary number
of
votes are reached.

Please vote accordingly:

[ ] +1 approve

[ ] +0 no opinion

[ ] -1 disapprove with the reason

Checklist for reference:

[ ] Download links are valid.

[ ] Checksums and PGP signatures are valid.

[ ] DISCLAIMER is included.

[ ] Source code artifacts have correct names matching the current
release.

[ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.

[ ] All files have license headers if necessary.

[ ] No compiled archives bundled in source archive.

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sheng Wu <wu...@gmail.com>]

My concern is making people confused. The PGP could export and import from
the old laptop. You don't need a new one.

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2020年1月1日周三 下午8:55写道：

> > A question, why you have two pgp keys in the KEYS file?
>
> I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
> this version.
> Do you think we could remove the 1st one? because I will never use that gpp
> key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>
>
> Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：
>
> > Hi Liang Zhang
> >
> > A question, why you have two pgp keys in the KEYS file?
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
> >
> > zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
> >
> > > Hello ShardingSphere Community,
> > >
> > > This is a call for vote to release Apache ShardingSphere (Incubating)
> > > version 4.0.0
> > >
> > > Release notes:
> > >
> > >
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> > >
> > > The release candidates:
> > > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> > >
> > > Maven 2 staging repository:
> > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> > >
> > > Git tag for the release:
> > > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> > >
> > > Release Commit ID:
> > >
> > >
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> > >
> > > Keys to verify the Release Candidate:
> > > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> > >
> > > Look at here for how to verify this release candidate:
> > > https://shardingsphere.apache.org/community/en/contribute/release/
> > >
> > > The vote will be open for at least 72 hours or until necessary number
> of
> > > votes are reached.
> > >
> > > Please vote accordingly:
> > >
> > > [ ] +1 approve
> > >
> > > [ ] +0 no opinion
> > >
> > > [ ] -1 disapprove with the reason
> > >
> > > Checklist for reference:
> > >
> > > [ ] Download links are valid.
> > >
> > > [ ] Checksums and PGP signatures are valid.
> > >
> > > [ ] DISCLAIMER is included.
> > >
> > > [ ] Source code artifacts have correct names matching the current
> > release.
> > >
> > > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> > >
> > > [ ] All files have license headers if necessary.
> > >
> > > [ ] No compiled archives bundled in source archive.
> > >
> > > ------------------
> > >
> > > Liang Zhang (John)
> > > Apache ShardingSphere & Dubbo
> > >
> >
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

["zhangliang@apache.org" <zh...@apache.org>]

> A question, why you have two pgp keys in the KEYS file?

I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?

------------------

Liang Zhang (John)
Apache ShardingSphere & Dubbo


Sheng Wu <wu...@gmail.com> 于2020年1月1日周三 下午8:34写道：

> Hi Liang Zhang
>
> A question, why you have two pgp keys in the KEYS file?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：
>
> > Hello ShardingSphere Community,
> >
> > This is a call for vote to release Apache ShardingSphere (Incubating)
> > version 4.0.0
> >
> > Release notes:
> >
> >
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
> >
> > The release candidates:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
> >
> > Maven 2 staging repository:
> >
> >
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
> >
> > Git tag for the release:
> > https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
> >
> > Release Commit ID:
> >
> >
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
> >
> > Keys to verify the Release Candidate:
> > https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
> >
> > Look at here for how to verify this release candidate:
> > https://shardingsphere.apache.org/community/en/contribute/release/
> >
> > The vote will be open for at least 72 hours or until necessary number of
> > votes are reached.
> >
> > Please vote accordingly:
> >
> > [ ] +1 approve
> >
> > [ ] +0 no opinion
> >
> > [ ] -1 disapprove with the reason
> >
> > Checklist for reference:
> >
> > [ ] Download links are valid.
> >
> > [ ] Checksums and PGP signatures are valid.
> >
> > [ ] DISCLAIMER is included.
> >
> > [ ] Source code artifacts have correct names matching the current
> release.
> >
> > [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
> >
> > [ ] All files have license headers if necessary.
> >
> > [ ] No compiled archives bundled in source archive.
> >
> > ------------------
> >
> > Liang Zhang (John)
> > Apache ShardingSphere & Dubbo
> >
>

Re: [VOTE] Release Apache ShardingSphere (Incubating) 4.0.0 round 2

[Sheng Wu <wu...@gmail.com>]

Hi Liang Zhang

A question, why you have two pgp keys in the KEYS file?

Sheng Wu 吴晟
Twitter, wusheng1108


zhangliang@apache.org <zh...@apache.org> 于2019年12月30日周一 下午9:44写道：

> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release notes:
>
> https://github.com/apache/incubator-shardingsphere/blob/dev/RELEASE-NOTES.md
>
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/4.0.0/
>
> Maven 2 staging repository:
>
> https://repository.apache.org/content/repositories/orgapacheshardingsphere-1029/org/apache/shardingsphere/
>
> Git tag for the release:
> https://github.com/apache/incubator-shardingsphere/tree/4.0.0/
>
> Release Commit ID:
>
> https://github.com/apache/incubator-shardingsphere/commit/f81f4f03b1dd4b426adf1f29ffe93f9540ce6fc9
>
> Keys to verify the Release Candidate:
> https://dist.apache.org/repos/dist/dev/incubator/shardingsphere/KEYS
>
> Look at here for how to verify this release candidate:
> https://shardingsphere.apache.org/community/en/contribute/release/
>
> The vote will be open for at least 72 hours or until necessary number of
> votes are reached.
>
> Please vote accordingly:
>
> [ ] +1 approve
>
> [ ] +0 no opinion
>
> [ ] -1 disapprove with the reason
>
> Checklist for reference:
>
> [ ] Download links are valid.
>
> [ ] Checksums and PGP signatures are valid.
>
> [ ] DISCLAIMER is included.
>
> [ ] Source code artifacts have correct names matching the current release.
>
> [ ] LICENSE and NOTICE files are correct for each ShardingSphere repo.
>
> [ ] All files have license headers if necessary.
>
> [ ] No compiled archives bundled in source archive.
>
> ------------------
>
> Liang Zhang (John)
> Apache ShardingSphere & Dubbo
>