You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by Francis Chuang <fr...@apache.org> on 2021/04/07 23:33:47 UTC
[VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Hi all,
I have created a build for Apache Calcite Avatica 1.18.0, release
candidate 0.
Thanks to everyone who has contributed to this release.
You can read the release notes here:
https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
The commit to be voted upon:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
Its hash is 9486557be86bcade35d814d8a81be638395f57c6
Tag:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
The artifacts to be voted on are located here:
https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
(revision 46928)
The hashes of the artifacts are as follows:
a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
*apache-calcite-avatica-1.18.0-src.tar.gz
A staged Maven repository is available for review at:
https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/francischuang.asc
https://www.apache.org/dist/calcite/KEYS
N.B.
To create the jars and test Apache Calcite Avatica: "./gradlew build
-Prelease -PskipSign".
If you do not have a Java environment available, you can run the tests
using docker. To do so, install docker and docker-compose, then run
"docker-compose run test" from the root of the directory.
Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
The vote is open for the next 72 hours and passes if a majority of at
least three +1 PMC votes are cast.
[ ] +1 Release this package as Apache Calcite 1.18.0
[ ] 0 I don't feel strongly about it, but I'm okay with the release
[ ] -1 Do not release this package because...
Here is my vote:
+1 (binding)
Francis
Re: [CANCEL][VOTE] Release apache-calcite-avatica-1.18.0 (release
candidate 0)
Posted by Julian Hyde <jh...@gmail.com>.
I have created https://github.com/apache/calcite-avatica/pull/144 <https://github.com/apache/calcite-avatica/pull/144> with fixes for those two issues. I think we’re good to go for RC 1.
Julian
> On May 10, 2021, at 5:01 PM, Julian Hyde <jh...@gmail.com> wrote:
>
> OK, thanks.
>
> I will fix those 2 issues in the next day or two, then let’s do a new RC.
>
>> On May 10, 2021, at 3:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>
>> The vote for apache-calcite-avatica-1.18.0 (release candidate 0) has been cancelled pending the resolution of the following issues:
>> - https://issues.apache.org/jira/browse/CALCITE-4575
>> - https://issues.apache.org/jira/browse/CALCITE-4576
>>
>> Francis
>>
>> On 8/04/2021 9:33 am, Francis Chuang wrote:
>>> Hi all,
>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>> candidate 0.
>>> Thanks to everyone who has contributed to this release.
>>> You can read the release notes here:
>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md The commit to be voted upon:
>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6 Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>> Tag:
>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0 The artifacts to be voted on are located here:
>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0 (revision 46928)
>>> The hashes of the artifacts are as follows:
>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772 *apache-calcite-avatica-1.18.0-src.tar.gz
>>> A staged Maven repository is available for review at:
>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/ Release artifacts are signed with the following key:
>>> https://people.apache.org/keys/committer/francischuang.asc
>>> https://www.apache.org/dist/calcite/KEYS
>>> N.B.
>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>> If you do not have a Java environment available, you can run the tests
>>> using docker. To do so, install docker and docker-compose, then run
>>> "docker-compose run test" from the root of the directory.
>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>> The vote is open for the next 72 hours and passes if a majority of at
>>> least three +1 PMC votes are cast.
>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>> [ ] -1 Do not release this package because...
>>> Here is my vote:
>>> +1 (binding)
>>> Francis
>
Re: [CANCEL][VOTE] Release apache-calcite-avatica-1.18.0 (release
candidate 0)
Posted by Julian Hyde <jh...@gmail.com>.
OK, thanks.
I will fix those 2 issues in the next day or two, then let’s do a new RC.
> On May 10, 2021, at 3:33 PM, Francis Chuang <fr...@apache.org> wrote:
>
> The vote for apache-calcite-avatica-1.18.0 (release candidate 0) has been cancelled pending the resolution of the following issues:
> - https://issues.apache.org/jira/browse/CALCITE-4575
> - https://issues.apache.org/jira/browse/CALCITE-4576
>
> Francis
>
> On 8/04/2021 9:33 am, Francis Chuang wrote:
>> Hi all,
>> I have created a build for Apache Calcite Avatica 1.18.0, release
>> candidate 0.
>> Thanks to everyone who has contributed to this release.
>> You can read the release notes here:
>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md The commit to be voted upon:
>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6 Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>> Tag:
>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0 The artifacts to be voted on are located here:
>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0 (revision 46928)
>> The hashes of the artifacts are as follows:
>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772 *apache-calcite-avatica-1.18.0-src.tar.gz
>> A staged Maven repository is available for review at:
>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/ Release artifacts are signed with the following key:
>> https://people.apache.org/keys/committer/francischuang.asc
>> https://www.apache.org/dist/calcite/KEYS
>> N.B.
>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>> If you do not have a Java environment available, you can run the tests
>> using docker. To do so, install docker and docker-compose, then run
>> "docker-compose run test" from the root of the directory.
>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>> The vote is open for the next 72 hours and passes if a majority of at
>> least three +1 PMC votes are cast.
>> [ ] +1 Release this package as Apache Calcite 1.18.0
>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>> [ ] -1 Do not release this package because...
>> Here is my vote:
>> +1 (binding)
>> Francis
[CANCEL][VOTE] Release apache-calcite-avatica-1.18.0 (release
candidate 0)
Posted by Francis Chuang <fr...@apache.org>.
The vote for apache-calcite-avatica-1.18.0 (release candidate 0) has
been cancelled pending the resolution of the following issues:
- https://issues.apache.org/jira/browse/CALCITE-4575
- https://issues.apache.org/jira/browse/CALCITE-4576
Francis
On 8/04/2021 9:33 am, Francis Chuang wrote:
> Hi all,
>
> I have created a build for Apache Calcite Avatica 1.18.0, release
> candidate 0.
>
> Thanks to everyone who has contributed to this release.
>
> You can read the release notes here:
> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>
>
> The commit to be voted upon:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>
>
> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>
> Tag:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>
>
> The artifacts to be voted on are located here:
> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>
> (revision 46928)
>
> The hashes of the artifacts are as follows:
> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>
> *apache-calcite-avatica-1.18.0-src.tar.gz
>
> A staged Maven repository is available for review at:
> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/francischuang.asc
> https://www.apache.org/dist/calcite/KEYS
>
> N.B.
> To create the jars and test Apache Calcite Avatica: "./gradlew build
> -Prelease -PskipSign".
>
> If you do not have a Java environment available, you can run the tests
> using docker. To do so, install docker and docker-compose, then run
> "docker-compose run test" from the root of the directory.
>
> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>
> The vote is open for the next 72 hours and passes if a majority of at
> least three +1 PMC votes are cast.
>
> [ ] +1 Release this package as Apache Calcite 1.18.0
> [ ] 0 I don't feel strongly about it, but I'm okay with the release
> [ ] -1 Do not release this package because...
>
>
> Here is my vote:
>
> +1 (binding)
>
> Francis
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Josh Elser <el...@apache.org>.
+1 (binding)
* xsums/sigs work (after the `curl -L` stuff)
* No binary files noticed in src release
* Can build and run tests in src tarball
On 4/7/21 7:33 PM, Francis Chuang wrote:
> Hi all,
>
> I have created a build for Apache Calcite Avatica 1.18.0, release
> candidate 0.
>
> Thanks to everyone who has contributed to this release.
>
> You can read the release notes here:
> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>
>
> The commit to be voted upon:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>
>
> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>
> Tag:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>
>
> The artifacts to be voted on are located here:
> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>
> (revision 46928)
>
> The hashes of the artifacts are as follows:
> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>
> *apache-calcite-avatica-1.18.0-src.tar.gz
>
> A staged Maven repository is available for review at:
> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/francischuang.asc
> https://www.apache.org/dist/calcite/KEYS
>
> N.B.
> To create the jars and test Apache Calcite Avatica: "./gradlew build
> -Prelease -PskipSign".
>
> If you do not have a Java environment available, you can run the tests
> using docker. To do so, install docker and docker-compose, then run
> "docker-compose run test" from the root of the directory.
>
> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>
> The vote is open for the next 72 hours and passes if a majority of at
> least three +1 PMC votes are cast.
>
> [ ] +1 Release this package as Apache Calcite 1.18.0
> [ ] 0 I don't feel strongly about it, but I'm okay with the release
> [ ] -1 Do not release this package because...
>
>
> Here is my vote:
>
> +1 (binding)
>
> Francis
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
Julian>Makes sense. I am forever confused by signing & keys. If other
people have no concerns, then I’m fine.
I'm fine with the current signature.
Hopefully, https://sigstore.dev/ would mature soon so we have better than
PGP tools to sign the artifacts.
I'm not sure if adding https://jedisct1.github.io/minisign/ adds something
valuable at this point though.
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
Francis,
This vote has been open for over a month. As release manager, do you have the information necessary to cancel the vote or announce a result? We need to move on.
Julian
> On Apr 20, 2021, at 3:32 PM, Francis Chuang <fr...@apache.org> wrote:
>
> Hey Josh,
>
> I believe the short key id uses the last 8 characters of the key id.
>
> This is the output when listing my secret keys:
> ❯ gpg --list-secret-keys
> /home/francis/.gnupg/pubring.kbx
> --------------------------------
> sec rsa4096 2018-04-16 [SC]
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> uid [ultimate] Francis Chuang <fr...@a....org>
> ssb rsa4096 2018-04-16 [E]
>
> This is the entry in KEYS:
> -----END PGP PUBLIC KEY BLOCK-----
>
> pub rsa4096/3A970AB7 2018-04-16 [SC]
> uid [ultimate] Francis Chuang <fr...@a....org>
> sig 3 3A970AB7 2018-04-16 Francis Chuang <fr...@apache.org>
> sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY) <jh...@a....org>
> sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR) <ka...@g....com>
> sub rsa4096/34BCCFB3 2018-04-16 [E]
> sig 3A970AB7 2018-04-16 Francis Chuang <fr...@a....org>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> The last 8 characters of they key id in both short and long formats match:
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> 3A970AB7
>
> Francis
>
> On 21/04/2021 4:14 am, Josh Elser wrote:
>> Uh, I'm confused too and seeing the same thing that Julian saw.
>> The key 635665E0 does not exist in the https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is 3A970AB7.
>> I don't see this key in pgp.mit.edu when I search, either. I can't seem to find a server which responds to do a `gpg --search-key` either.
>> Vladimir -- were you able to validate the signature? If so, do you have this key in `gpg --fingerprint`?
>> On 4/8/21 1:59 PM, Julian Hyde wrote:
>>> Makes sense. I am forever confused by signing & keys. If other people have no concerns, then I’m fine.
>>>
>>>> On Apr 8, 2021, at 1:43 AM, Francis Chuang <fr...@apache.org> wrote:
>>>>
>>>> Regarding the key, I wonder if it's because my key was only signed by 2 other individuals. See here [1] and here [2].
>>>>
>>>> [1] https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
>>>> [2] https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>>>>
>>>> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>>>>> 1. Regarding the key. Even after doing
>>>>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>>>>> I got the following error:
>>>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>> gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
>>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>>> gpg: There is no indication that the signature belongs to the owner.
>>>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
>>>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>>>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
>>>>> Julian
>>>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>>
>>>>>> Hey Julian,
>>>>>>
>>>>>> The key I used to sign the release is the same as the one in KEYS:
>>>>>>
>>>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>>> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>>>>>>
>>>>>> For the 2 issues:
>>>>>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
>>>>>> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>>>>>>
>>>>>> Francis
>>>>>>
>>>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>>>>> Francis,
>>>>>>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>>>>>>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>>>>> Two problems:
>>>>>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>>>>> -1 (binding) due the above two problems.
>>>>>>> Julian
>>>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>>>>> candidate 0.
>>>>>>>>
>>>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>>>
>>>>>>>> You can read the release notes here:
>>>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>>>>
>>>>>>>> The commit to be voted upon:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>> Tag:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>>>>
>>>>>>>> The artifacts to be voted on are located here:
>>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>>>>> (revision 46928)
>>>>>>>>
>>>>>>>> The hashes of the artifacts are as follows:
>>>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>>>>
>>>>>>>> A staged Maven repository is available for review at:
>>>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>>>>
>>>>>>>> Release artifacts are signed with the following key:
>>>>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>>>>
>>>>>>>> N.B.
>>>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>>>>>>
>>>>>>>> If you do not have a Java environment available, you can run the tests
>>>>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>>>>> "docker-compose run test" from the root of the directory.
>>>>>>>>
>>>>>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>>>>>>
>>>>>>>> The vote is open for the next 72 hours and passes if a majority of at
>>>>>>>> least three +1 PMC votes are cast.
>>>>>>>>
>>>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>>>>>> [ ] -1 Do not release this package because...
>>>>>>>>
>>>>>>>>
>>>>>>>> Here is my vote:
>>>>>>>>
>>>>>>>> +1 (binding)
>>>>>>>>
>>>>>>>> Francis
>>>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Josh Elser <el...@apache.org>.
I think I see what happened. I had been doing `curl
https://www.apache.org/dist/calcite/KEYS | gpg --import`
If you do a `curl -v`, ASF set up an HTTP/302 redirect over to
https://downloads.apache.org/calcite/KEYS. I think I was passing the
HTTP redirect into `gpg --import` (which, of course, imported nothing).
If I do `curl -L https://www.apache.org/dist/calcite/KEYS | gpg
--import`, I then get Francis' key as expected.
Real vote coming shortly :)
On 4/20/21 6:32 PM, Francis Chuang wrote:
> Hey Josh,
>
> I believe the short key id uses the last 8 characters of the key id.
>
> This is the output when listing my secret keys:
> ❯ gpg --list-secret-keys
> /home/francis/.gnupg/pubring.kbx
> --------------------------------
> sec rsa4096 2018-04-16 [SC]
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> uid [ultimate] Francis Chuang <fr...@a....org>
> ssb rsa4096 2018-04-16 [E]
>
> This is the entry in KEYS:
> -----END PGP PUBLIC KEY BLOCK-----
>
> pub rsa4096/3A970AB7 2018-04-16 [SC]
> uid [ultimate] Francis Chuang <fr...@a....org>
> sig 3 3A970AB7 2018-04-16 Francis Chuang <fr...@apache.org>
> sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY)
> <jh...@a....org>
> sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR)
> <ka...@g....com>
> sub rsa4096/34BCCFB3 2018-04-16 [E]
> sig 3A970AB7 2018-04-16 Francis Chuang <fr...@a....org>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> The last 8 characters of they key id in both short and long formats match:
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> 3A970AB7
>
> Francis
>
> On 21/04/2021 4:14 am, Josh Elser wrote:
>> Uh, I'm confused too and seeing the same thing that Julian saw.
>>
>> The key 635665E0 does not exist in the
>> https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is
>> 3A970AB7.
>>
>> I don't see this key in pgp.mit.edu when I search, either. I can't
>> seem to find a server which responds to do a `gpg --search-key` either.
>>
>> Vladimir -- were you able to validate the signature? If so, do you
>> have this key in `gpg --fingerprint`?
>>
>> On 4/8/21 1:59 PM, Julian Hyde wrote:
>>> Makes sense. I am forever confused by signing & keys. If other people
>>> have no concerns, then I’m fine.
>>>
>>>> On Apr 8, 2021, at 1:43 AM, Francis Chuang
>>>> <fr...@apache.org> wrote:
>>>>
>>>> Regarding the key, I wonder if it's because my key was only signed
>>>> by 2 other individuals. See here [1] and here [2].
>>>>
>>>> [1]
>>>> https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
>>>>
>>>> [2]
>>>> https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>>>>
>>>>
>>>> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>>>>> 1. Regarding the key. Even after doing
>>>>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>>>>> I got the following error:
>>>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>> gpg: assuming signed data in
>>>>> 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>>>>> gpg: using RSA key
>>>>> 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>> gpg: Good signature from "Francis Chuang
>>>>> <fr...@apache.org>" [unknown]
>>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>>> gpg: There is no indication that the signature belongs to
>>>>> the owner.
>>>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92
>>>>> 3A97 0AB7
>>>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>>>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t
>>>>> recall where it ended up. My opinion is that neither the release
>>>>> plugin (nor the release manager) should be modifying source files.
>>>>> Julian
>>>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang
>>>>>> <fr...@apache.org> wrote:
>>>>>>
>>>>>> Hey Julian,
>>>>>>
>>>>>> The key I used to sign the release is the same as the one in KEYS:
>>>>>>
>>>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>>> gpg: assuming signed data in
>>>>>> 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>>>>> gpg: using RSA key
>>>>>> 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>>> gpg: Good signature from "Francis Chuang <fr...@a.o>"
>>>>>> [ultimate]
>>>>>>
>>>>>> For the 2 issues:
>>>>>> - The gradle-wrapper.jar issue probably affects calcite as well,
>>>>>> so we need to get this fixed in both repos.
>>>>>> - I believe the license is generated by the release plugin. I
>>>>>> think there was some discussion on the mailing list in the past,
>>>>>> but I can't find the threads for some reason.
>>>>>>
>>>>>> Francis
>>>>>>
>>>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>>>>> Francis,
>>>>>>> Thank you for getting this release done. We lost momentum and I
>>>>>>> appreciate you pushing through.
>>>>>>> Is this a different key than your existing key in KEYS? If so can
>>>>>>> you add it to
>>>>>>> https://dist.apache.org/repos/dist/release/calcite/KEYS?
>>>>>>> <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE,
>>>>>>> copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>>>>> Two problems:
>>>>>>> * tar.gz contains a binary file
>>>>>>> (gradle/wrapper/gradle-wrapper.jar). I recently became aware that
>>>>>>> this is a breach of Apache release policy; see
>>>>>>> https://issues.apache.org/jira/browse/LEGAL-288
>>>>>>> <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>>>>> -1 (binding) due the above two problems.
>>>>>>> Julian
>>>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang
>>>>>>>> <fr...@apache.org> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>>>>> candidate 0.
>>>>>>>>
>>>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>>>
>>>>>>>> You can read the release notes here:
>>>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>>>>
>>>>>>>>
>>>>>>>> The commit to be voted upon:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>>
>>>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>> Tag:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>>>>
>>>>>>>>
>>>>>>>> The artifacts to be voted on are located here:
>>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>>>>>
>>>>>>>> (revision 46928)
>>>>>>>>
>>>>>>>> The hashes of the artifacts are as follows:
>>>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>>>>>
>>>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>>>>
>>>>>>>> A staged Maven repository is available for review at:
>>>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>>>>
>>>>>>>>
>>>>>>>> Release artifacts are signed with the following key:
>>>>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>>>>
>>>>>>>> N.B.
>>>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew
>>>>>>>> build -Prelease -PskipSign".
>>>>>>>>
>>>>>>>> If you do not have a Java environment available, you can run the
>>>>>>>> tests
>>>>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>>>>> "docker-compose run test" from the root of the directory.
>>>>>>>>
>>>>>>>> Please vote on releasing this package as Apache Calcite Avatica
>>>>>>>> 1.18.0.
>>>>>>>>
>>>>>>>> The vote is open for the next 72 hours and passes if a majority
>>>>>>>> of at
>>>>>>>> least three +1 PMC votes are cast.
>>>>>>>>
>>>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the
>>>>>>>> release
>>>>>>>> [ ] -1 Do not release this package because...
>>>>>>>>
>>>>>>>>
>>>>>>>> Here is my vote:
>>>>>>>>
>>>>>>>> +1 (binding)
>>>>>>>>
>>>>>>>> Francis
>>>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Francis Chuang <fr...@apache.org>.
Hey Josh,
I believe the short key id uses the last 8 characters of the key id.
This is the output when listing my secret keys:
❯ gpg --list-secret-keys
/home/francis/.gnupg/pubring.kbx
--------------------------------
sec rsa4096 2018-04-16 [SC]
635665E0BE3F72552910CB74BBE44E923A970AB7
uid [ultimate] Francis Chuang <fr...@a....org>
ssb rsa4096 2018-04-16 [E]
This is the entry in KEYS:
-----END PGP PUBLIC KEY BLOCK-----
pub rsa4096/3A970AB7 2018-04-16 [SC]
uid [ultimate] Francis Chuang <fr...@a....org>
sig 3 3A970AB7 2018-04-16 Francis Chuang <fr...@apache.org>
sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY)
<jh...@a....org>
sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR)
<ka...@g....com>
sub rsa4096/34BCCFB3 2018-04-16 [E]
sig 3A970AB7 2018-04-16 Francis Chuang <fr...@a....org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
The last 8 characters of they key id in both short and long formats match:
635665E0BE3F72552910CB74BBE44E923A970AB7
3A970AB7
Francis
On 21/04/2021 4:14 am, Josh Elser wrote:
> Uh, I'm confused too and seeing the same thing that Julian saw.
>
> The key 635665E0 does not exist in the
> https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is
> 3A970AB7.
>
> I don't see this key in pgp.mit.edu when I search, either. I can't seem
> to find a server which responds to do a `gpg --search-key` either.
>
> Vladimir -- were you able to validate the signature? If so, do you have
> this key in `gpg --fingerprint`?
>
> On 4/8/21 1:59 PM, Julian Hyde wrote:
>> Makes sense. I am forever confused by signing & keys. If other people
>> have no concerns, then I’m fine.
>>
>>> On Apr 8, 2021, at 1:43 AM, Francis Chuang <fr...@apache.org>
>>> wrote:
>>>
>>> Regarding the key, I wonder if it's because my key was only signed by
>>> 2 other individuals. See here [1] and here [2].
>>>
>>> [1]
>>> https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
>>>
>>> [2]
>>> https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>>>
>>>
>>> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>>>> 1. Regarding the key. Even after doing
>>>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>>>> I got the following error:
>>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>>>> gpg: using RSA key
>>>> 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>> gpg: Good signature from "Francis Chuang <fr...@apache.org>"
>>>> [unknown]
>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>> gpg: There is no indication that the signature belongs to
>>>> the owner.
>>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92
>>>> 3A97 0AB7
>>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t
>>>> recall where it ended up. My opinion is that neither the release
>>>> plugin (nor the release manager) should be modifying source files.
>>>> Julian
>>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang
>>>>> <fr...@apache.org> wrote:
>>>>>
>>>>> Hey Julian,
>>>>>
>>>>> The key I used to sign the release is the same as the one in KEYS:
>>>>>
>>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>> gpg: assuming signed data in
>>>>> 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>>>> gpg: using RSA key
>>>>> 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>> gpg: Good signature from "Francis Chuang <fr...@a.o>"
>>>>> [ultimate]
>>>>>
>>>>> For the 2 issues:
>>>>> - The gradle-wrapper.jar issue probably affects calcite as well, so
>>>>> we need to get this fixed in both repos.
>>>>> - I believe the license is generated by the release plugin. I think
>>>>> there was some discussion on the mailing list in the past, but I
>>>>> can't find the threads for some reason.
>>>>>
>>>>> Francis
>>>>>
>>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>>>> Francis,
>>>>>> Thank you for getting this release done. We lost momentum and I
>>>>>> appreciate you pushing through.
>>>>>> Is this a different key than your existing key in KEYS? If so can
>>>>>> you add it to
>>>>>> https://dist.apache.org/repos/dist/release/calcite/KEYS?
>>>>>> <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright
>>>>>> dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>>>> Two problems:
>>>>>> * tar.gz contains a binary file
>>>>>> (gradle/wrapper/gradle-wrapper.jar). I recently became aware that
>>>>>> this is a breach of Apache release policy; see
>>>>>> https://issues.apache.org/jira/browse/LEGAL-288
>>>>>> <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>>>> -1 (binding) due the above two problems.
>>>>>> Julian
>>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang
>>>>>>> <fr...@apache.org> wrote:
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>>>> candidate 0.
>>>>>>>
>>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>>
>>>>>>> You can read the release notes here:
>>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>>>
>>>>>>>
>>>>>>> The commit to be voted upon:
>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>
>>>>>>>
>>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>
>>>>>>> Tag:
>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>>>
>>>>>>>
>>>>>>> The artifacts to be voted on are located here:
>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>>>>
>>>>>>> (revision 46928)
>>>>>>>
>>>>>>> The hashes of the artifacts are as follows:
>>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>>>>
>>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>>>
>>>>>>> A staged Maven repository is available for review at:
>>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>>>
>>>>>>>
>>>>>>> Release artifacts are signed with the following key:
>>>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>>>
>>>>>>> N.B.
>>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew
>>>>>>> build -Prelease -PskipSign".
>>>>>>>
>>>>>>> If you do not have a Java environment available, you can run the
>>>>>>> tests
>>>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>>>> "docker-compose run test" from the root of the directory.
>>>>>>>
>>>>>>> Please vote on releasing this package as Apache Calcite Avatica
>>>>>>> 1.18.0.
>>>>>>>
>>>>>>> The vote is open for the next 72 hours and passes if a majority
>>>>>>> of at
>>>>>>> least three +1 PMC votes are cast.
>>>>>>>
>>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>>>>> [ ] -1 Do not release this package because...
>>>>>>>
>>>>>>>
>>>>>>> Here is my vote:
>>>>>>>
>>>>>>> +1 (binding)
>>>>>>>
>>>>>>> Francis
>>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Josh Elser <el...@apache.org>.
Uh, I'm confused too and seeing the same thing that Julian saw.
The key 635665E0 does not exist in the
https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is
3A970AB7.
I don't see this key in pgp.mit.edu when I search, either. I can't seem
to find a server which responds to do a `gpg --search-key` either.
Vladimir -- were you able to validate the signature? If so, do you have
this key in `gpg --fingerprint`?
On 4/8/21 1:59 PM, Julian Hyde wrote:
> Makes sense. I am forever confused by signing & keys. If other people have no concerns, then I’m fine.
>
>> On Apr 8, 2021, at 1:43 AM, Francis Chuang <fr...@apache.org> wrote:
>>
>> Regarding the key, I wonder if it's because my key was only signed by 2 other individuals. See here [1] and here [2].
>>
>> [1] https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
>> [2] https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>>
>> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>>> 1. Regarding the key. Even after doing
>>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>>> I got the following error:
>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>> gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
>>> gpg: WARNING: This key is not certified with a trusted signature!
>>> gpg: There is no indication that the signature belongs to the owner.
>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
>>> Julian
>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>
>>>> Hey Julian,
>>>>
>>>> The key I used to sign the release is the same as the one in KEYS:
>>>>
>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>>>>
>>>> For the 2 issues:
>>>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
>>>> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>>>>
>>>> Francis
>>>>
>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>>> Francis,
>>>>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>>>>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>>> Two problems:
>>>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>>> -1 (binding) due the above two problems.
>>>>> Julian
>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>>> candidate 0.
>>>>>>
>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>
>>>>>> You can read the release notes here:
>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>>
>>>>>> The commit to be voted upon:
>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>>
>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>>
>>>>>> Tag:
>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>>
>>>>>> The artifacts to be voted on are located here:
>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>>> (revision 46928)
>>>>>>
>>>>>> The hashes of the artifacts are as follows:
>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>>
>>>>>> A staged Maven repository is available for review at:
>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>>
>>>>>> Release artifacts are signed with the following key:
>>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>>
>>>>>> N.B.
>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>>>>
>>>>>> If you do not have a Java environment available, you can run the tests
>>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>>> "docker-compose run test" from the root of the directory.
>>>>>>
>>>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>>>>
>>>>>> The vote is open for the next 72 hours and passes if a majority of at
>>>>>> least three +1 PMC votes are cast.
>>>>>>
>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>>>> [ ] -1 Do not release this package because...
>>>>>>
>>>>>>
>>>>>> Here is my vote:
>>>>>>
>>>>>> +1 (binding)
>>>>>>
>>>>>> Francis
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
Makes sense. I am forever confused by signing & keys. If other people have no concerns, then I’m fine.
> On Apr 8, 2021, at 1:43 AM, Francis Chuang <fr...@apache.org> wrote:
>
> Regarding the key, I wonder if it's because my key was only signed by 2 other individuals. See here [1] and here [2].
>
> [1] https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
> [2] https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>
> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>> 1. Regarding the key. Even after doing
>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>> I got the following error:
>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>> gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
>> Julian
>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>>>
>>> Hey Julian,
>>>
>>> The key I used to sign the release is the same as the one in KEYS:
>>>
>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>>>
>>> For the 2 issues:
>>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
>>> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>>>
>>> Francis
>>>
>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>> Francis,
>>>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>>>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>> Two problems:
>>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>> -1 (binding) due the above two problems.
>>>> Julian
>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>> candidate 0.
>>>>>
>>>>> Thanks to everyone who has contributed to this release.
>>>>>
>>>>> You can read the release notes here:
>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>
>>>>> The commit to be voted upon:
>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>
>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>
>>>>> Tag:
>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>
>>>>> The artifacts to be voted on are located here:
>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>> (revision 46928)
>>>>>
>>>>> The hashes of the artifacts are as follows:
>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>
>>>>> A staged Maven repository is available for review at:
>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>
>>>>> Release artifacts are signed with the following key:
>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>
>>>>> N.B.
>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>>>
>>>>> If you do not have a Java environment available, you can run the tests
>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>> "docker-compose run test" from the root of the directory.
>>>>>
>>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>>>
>>>>> The vote is open for the next 72 hours and passes if a majority of at
>>>>> least three +1 PMC votes are cast.
>>>>>
>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>>> [ ] -1 Do not release this package because...
>>>>>
>>>>>
>>>>> Here is my vote:
>>>>>
>>>>> +1 (binding)
>>>>>
>>>>> Francis
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Francis Chuang <fr...@apache.org>.
Regarding the key, I wonder if it's because my key was only signed by 2
other individuals. See here [1] and here [2].
[1]
https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
[2]
https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
On 8/04/2021 5:08 pm, Julian Hyde wrote:
> 1. Regarding the key. Even after doing
>
> $ gpg --import ~/apache/dist/release/calcite/KEYS
>
> I got the following error:
>
> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
> gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
>
> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>
> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
>
> Julian
>
>
>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>>
>> Hey Julian,
>>
>> The key I used to sign the release is the same as the one in KEYS:
>>
>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>>
>> For the 2 issues:
>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
>> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>>
>> Francis
>>
>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>> Francis,
>>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>> Two problems:
>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>>> * LICENSE in the tar.gz differs from LICENSE in git
>>> -1 (binding) due the above two problems.
>>> Julian
>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>> candidate 0.
>>>>
>>>> Thanks to everyone who has contributed to this release.
>>>>
>>>> You can read the release notes here:
>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>
>>>> The commit to be voted upon:
>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>
>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>
>>>> Tag:
>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>
>>>> The artifacts to be voted on are located here:
>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>> (revision 46928)
>>>>
>>>> The hashes of the artifacts are as follows:
>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>
>>>> A staged Maven repository is available for review at:
>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>
>>>> Release artifacts are signed with the following key:
>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>> https://www.apache.org/dist/calcite/KEYS
>>>>
>>>> N.B.
>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>>
>>>> If you do not have a Java environment available, you can run the tests
>>>> using docker. To do so, install docker and docker-compose, then run
>>>> "docker-compose run test" from the root of the directory.
>>>>
>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>>
>>>> The vote is open for the next 72 hours and passes if a majority of at
>>>> least three +1 PMC votes are cast.
>>>>
>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>> [ ] -1 Do not release this package because...
>>>>
>>>>
>>>> Here is my vote:
>>>>
>>>> +1 (binding)
>>>>
>>>> Francis
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Alessandro Solimando <al...@gmail.com>.
Hi everyone,
+1 (non-binding) after verifying the release as follows.
1) Checksum: OK
2) Signature: OK (same warning as Julien Hyde but that’s explained and
makes sense)
3) Running tests:
-
“./gradlew build -Prelease -PskipSign”: OK (see JVM and OS details at
the bottom)
-
“docker-compose run test”: OK
-
Check CI on github for the commit: OK
A small error (coming from my original commit, apologies for not noticing
before) in “history.md#50
<https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=blob;f=site/_docs/history.md;h=a81e77e042166457eb95d28d3cb3ce71e6867f80;hb=9486557be86bcade35d814d8a81be638395f57c6#l50>
”:
java.lang.RuntimeException: java.lang.NoSuchFieldException: C
should be
java.lang.RuntimeException: java.lang.NoSuchFieldException: column
Happy to re-verify once the current issue with the release procedure is
resolved.
$ java -version:
openjdk version "1.8.0_265"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_265-b01)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.265-b01, mixed mode)
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.7
BuildVersion: 19H524
Best regards,
Alessandro
On Fri, 9 Apr 2021 at 23:28, Julian Hyde <jh...@apache.org> wrote:
> I have logged https://issues.apache.org/jira/browse/CALCITE-4575 and
> in it I propose that we exclude the Gradle wrapper (4 files) from the
> source distribution. We would also need to amend build instructions in
> site/_docs/howto.md.
>
> If ASF policy changes we can revisit, but we should not wait for that to
> happen.
>
> The other issue with the release can be fixed by committing the
> generated LICENSE file to Git. I have logged
> https://issues.apache.org/jira/browse/CALCITE-4576 outlining the
> problem and a possible solution.
>
> Julian
>
> On Fri, Apr 9, 2021 at 2:03 PM Stamatis Zampetakis <za...@gmail.com>
> wrote:
> >
> > There are various threads at @board, @legal-discuss and other places
> where
> > people are saying that Gradle wrapper jar is no exception to the rule and
> > should be excluded from the releases.
> >
> > I understand that there disadvantages in removing the wrapper from our
> > repos but doing that solves the debate and potential conflicts with
> legal.
> >
> > If legal gives it's blessings to include the jar in the release then
> great
> > but I am afraid this will take time and freezing the release for this is
> > not ideal.
> >
> > Best,
> > Stamatis
> >
> >
> > On Fri, Apr 9, 2021, 12:29 PM Vladimir Sitnikov <
> sitnikov.vladimir@gmail.com>
> > wrote:
> >
> > > Stamatis,
> > >
> > > Thank you for the reference.
> > > Cassandra case is vastly different: they included all the third-party
> > > dependencies into the source package.
> > >
> > > However, in the thread you mention [1] there's a link that makes "build
> > > tools" special:
> > > https://apache.org/legal/resolved.html#build-tools
> > >
> > > That page explicitly permits the inclusion of the build tools if they
> are
> > > used for build purposes.
> > >
> > > The removal of gradle-wrapper.jar from the source release would reduce
> > > security, and it would lower the release vote count
> > > as the number of steps to build and verify the code increases.
> > >
> > > [1]:
> > >
> > >
> https://lists.apache.org/thread.html/r1d7330da3c90eb4f2bb8555249572d85615c0f866b45ce04a30c00f2%40%3Cdev.cassandra.apache.org%3E
> > >
> > > Vladimir
> > >
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Julian Hyde <jh...@apache.org>.
I have logged https://issues.apache.org/jira/browse/CALCITE-4575 and
in it I propose that we exclude the Gradle wrapper (4 files) from the
source distribution. We would also need to amend build instructions in
site/_docs/howto.md.
If ASF policy changes we can revisit, but we should not wait for that to happen.
The other issue with the release can be fixed by committing the
generated LICENSE file to Git. I have logged
https://issues.apache.org/jira/browse/CALCITE-4576 outlining the
problem and a possible solution.
Julian
On Fri, Apr 9, 2021 at 2:03 PM Stamatis Zampetakis <za...@gmail.com> wrote:
>
> There are various threads at @board, @legal-discuss and other places where
> people are saying that Gradle wrapper jar is no exception to the rule and
> should be excluded from the releases.
>
> I understand that there disadvantages in removing the wrapper from our
> repos but doing that solves the debate and potential conflicts with legal.
>
> If legal gives it's blessings to include the jar in the release then great
> but I am afraid this will take time and freezing the release for this is
> not ideal.
>
> Best,
> Stamatis
>
>
> On Fri, Apr 9, 2021, 12:29 PM Vladimir Sitnikov <si...@gmail.com>
> wrote:
>
> > Stamatis,
> >
> > Thank you for the reference.
> > Cassandra case is vastly different: they included all the third-party
> > dependencies into the source package.
> >
> > However, in the thread you mention [1] there's a link that makes "build
> > tools" special:
> > https://apache.org/legal/resolved.html#build-tools
> >
> > That page explicitly permits the inclusion of the build tools if they are
> > used for build purposes.
> >
> > The removal of gradle-wrapper.jar from the source release would reduce
> > security, and it would lower the release vote count
> > as the number of steps to build and verify the code increases.
> >
> > [1]:
> >
> > https://lists.apache.org/thread.html/r1d7330da3c90eb4f2bb8555249572d85615c0f866b45ce04a30c00f2%40%3Cdev.cassandra.apache.org%3E
> >
> > Vladimir
> >
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
If someone removes gradle-wrapper.jar from the source package I won't veto
that change or something, however:
1) I would vote with -1 for each Calcite release candidate that includes
png, pdf, min.js and other binary files
2) I would stop verifying Calcite releases: I don't have time to download
Gradle versions manually
If someone thinks that "gradle-wrapper.jar must never be included in the
source package",
feel free to comment on https://issues.apache.org/jira/browse/LEGAL-288
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Stamatis Zampetakis <za...@gmail.com>.
There are various threads at @board, @legal-discuss and other places where
people are saying that Gradle wrapper jar is no exception to the rule and
should be excluded from the releases.
I understand that there disadvantages in removing the wrapper from our
repos but doing that solves the debate and potential conflicts with legal.
If legal gives it's blessings to include the jar in the release then great
but I am afraid this will take time and freezing the release for this is
not ideal.
Best,
Stamatis
On Fri, Apr 9, 2021, 12:29 PM Vladimir Sitnikov <si...@gmail.com>
wrote:
> Stamatis,
>
> Thank you for the reference.
> Cassandra case is vastly different: they included all the third-party
> dependencies into the source package.
>
> However, in the thread you mention [1] there's a link that makes "build
> tools" special:
> https://apache.org/legal/resolved.html#build-tools
>
> That page explicitly permits the inclusion of the build tools if they are
> used for build purposes.
>
> The removal of gradle-wrapper.jar from the source release would reduce
> security, and it would lower the release vote count
> as the number of steps to build and verify the code increases.
>
> [1]:
>
> https://lists.apache.org/thread.html/r1d7330da3c90eb4f2bb8555249572d85615c0f866b45ce04a30c00f2%40%3Cdev.cassandra.apache.org%3E
>
> Vladimir
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
Stamatis,
Thank you for the reference.
Cassandra case is vastly different: they included all the third-party
dependencies into the source package.
However, in the thread you mention [1] there's a link that makes "build
tools" special:
https://apache.org/legal/resolved.html#build-tools
That page explicitly permits the inclusion of the build tools if they are
used for build purposes.
The removal of gradle-wrapper.jar from the source release would reduce
security, and it would lower the release vote count
as the number of steps to build and verify the code increases.
[1]:
https://lists.apache.org/thread.html/r1d7330da3c90eb4f2bb8555249572d85615c0f866b45ce04a30c00f2%40%3Cdev.cassandra.apache.org%3E
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Stamatis Zampetakis <za...@gmail.com>.
As Julian mentioned, I don't think we can move on with the release before
removing the wrapper jars.
There have been some recent discussions about similar issues in other
projects [1] and the situation was escalated to the board.
From these discussions, and others in the past it is clear that there can
be misinterpretations of the ASF policy.
Personally, I agree with all the points raised by Vladimir but with my PMC
hat on I think the best course of action is to remove the jars and possibly
the wrapper altogether.
It doesn't seem very complicated to do so and it will save us time from
disagreeing about the policy and post release compliance actions.
We can fallback to our old model and request a specific version of Gradle
to be installed for people to compile the project.
Best,
Stamatis
[1]
https://lists.apache.org/thread.html/r3057bdd64b46bef1561b5fef3a7c1e40ade0da80df9915201cc8f315%40%3Cdev.cassandra.apache.org%3E
On Thu, Apr 8, 2021 at 10:22 PM Vladimir Sitnikov <
sitnikov.vladimir@gmail.com> wrote:
> There's no policy, so I truly do not understand what you are referring to.
>
> Vladimir
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
There's no policy, so I truly do not understand what you are referring to.
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
Can we not litigate policy here, please? We are PMC members, this is a release vote, we need to follow policy.
> On Apr 8, 2021, at 12:32 PM, Vladimir Sitnikov <si...@gmail.com> wrote:
>
> Julian>(Technically there are no binary releases, just artifacts.
>
> I stay corrected. The better term is "source package" and "compiled/binary
> package" which are both parts of the release.
>
> Julian>Apache policy, as I understand it, does allow images in source
> releases
>
> I believe the policy is not mathematically defined.
> If you have a link that states "binary files must not be in source package"
> please let me know.
> Of course, I did not analyze all the tickets in LEGAL, however, LEGAL-288
> does not forbid releasing gradle-wrapper.jar as a part of source package.
>
> ---
>
> For instance, Apache JMeter is a standalone desktop application, and you
> can't really build
> a workable application if all the icons and images were removed from the
> source package.
> The app would start, however, it would be very hard to use for the majority
> of the users.
>
> To my understanding, the intention is that the build artifacts should not
> be the primary part of the release and that there always should be a way to
> build the resulting binaries.
> However, to my best knowledge, excluding binary files from the source
> package is not really feasible.
> For instance, images might serve an important part in the documentation and
> in the application user interface.
>
> Julian>Not sure about .min.js, but it isn’t binary
>
> I believe the most important bit is the ability for humans to look inside
> and analyze.
> Of course, .min.js looks like a text file, however, it is written in such a
> way that humans can't really tell what the code is doing.
> Would it remove all the files in my filesystem if I run it? I don't know. I
> need a beautifier and IDE to analyze the behavior of the minified
> javascript.
> In that sense, .min.js is more or less the same as jar file, except jar
> file might be even better since most of the times class and variable names
> are not obfuscated in Java.
>
> Julian>It is also reasonable that when I browse the source in GitHub I
> should see the same LICENSE file that will be in the source release
>
> That would imply every third-party dependency update would trigger an
> update to the LICENSE file which means:
> 1) Every contributor that updates a dependency would bump into CI failure
> that reads "oh, you forgot updating LICENSE file" which will be annoying.
> 2) I test different third-party library versions. That might induce
> LICENSE-related failures when I update the dependency version without
> updating the version in the LICENSE. Do you mean I should always edit
> LICENSE file when editing dependency versions? That won't work.
> 3) If we validate LICENSE contents only during the release, then release
> managers might bump into the weird "oh, LICENSE file is out of date".
>
> That is why I believe, the way it works now is the least evil, however, you
> are welcome to improve it.
> The current implementation allows us to have a single base copy of LICENSE
> file, and it is used to build all the different licenses.
> For instance, calcite-avatica/shaded/core uses the same base LICENSE file
> and it adds the shaded third-party references there.
>
> If we put "the expected source artifact LICENSE" to the root of the
> repository, then:
> a) We would have to put "base license file for shaded artifacts" somewhere
> else
> b) People might assume that the LICENSE file covers all the entries in the
> Git repository.
>
> For instance, Calcite repository has site/fonts/ which have a license that
> is incompatible with ASF source artifact restrictions.
> If you put "source artifact license" to the root of apache/calcite
> repository, people might assume that everything in apache/calcite is AL2
> compatible.
> Here's what I mean:
> https://github.com/apache/calcite/blob/8581f0a3fe9a4f079cb4d36f02121ae22118714c/release/build.gradle.kts#L145-L157
>
> Well, of course, you could just remove site/fonts from the Git repository,
> whoever, that would paint us to a corner if we ever add a similar
> dependency.
>
> Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
Julian>(Technically there are no binary releases, just artifacts.
I stay corrected. The better term is "source package" and "compiled/binary
package" which are both parts of the release.
Julian>Apache policy, as I understand it, does allow images in source
releases
I believe the policy is not mathematically defined.
If you have a link that states "binary files must not be in source package"
please let me know.
Of course, I did not analyze all the tickets in LEGAL, however, LEGAL-288
does not forbid releasing gradle-wrapper.jar as a part of source package.
---
For instance, Apache JMeter is a standalone desktop application, and you
can't really build
a workable application if all the icons and images were removed from the
source package.
The app would start, however, it would be very hard to use for the majority
of the users.
To my understanding, the intention is that the build artifacts should not
be the primary part of the release and that there always should be a way to
build the resulting binaries.
However, to my best knowledge, excluding binary files from the source
package is not really feasible.
For instance, images might serve an important part in the documentation and
in the application user interface.
Julian>Not sure about .min.js, but it isn’t binary
I believe the most important bit is the ability for humans to look inside
and analyze.
Of course, .min.js looks like a text file, however, it is written in such a
way that humans can't really tell what the code is doing.
Would it remove all the files in my filesystem if I run it? I don't know. I
need a beautifier and IDE to analyze the behavior of the minified
javascript.
In that sense, .min.js is more or less the same as jar file, except jar
file might be even better since most of the times class and variable names
are not obfuscated in Java.
Julian>It is also reasonable that when I browse the source in GitHub I
should see the same LICENSE file that will be in the source release
That would imply every third-party dependency update would trigger an
update to the LICENSE file which means:
1) Every contributor that updates a dependency would bump into CI failure
that reads "oh, you forgot updating LICENSE file" which will be annoying.
2) I test different third-party library versions. That might induce
LICENSE-related failures when I update the dependency version without
updating the version in the LICENSE. Do you mean I should always edit
LICENSE file when editing dependency versions? That won't work.
3) If we validate LICENSE contents only during the release, then release
managers might bump into the weird "oh, LICENSE file is out of date".
That is why I believe, the way it works now is the least evil, however, you
are welcome to improve it.
The current implementation allows us to have a single base copy of LICENSE
file, and it is used to build all the different licenses.
For instance, calcite-avatica/shaded/core uses the same base LICENSE file
and it adds the shaded third-party references there.
If we put "the expected source artifact LICENSE" to the root of the
repository, then:
a) We would have to put "base license file for shaded artifacts" somewhere
else
b) People might assume that the LICENSE file covers all the entries in the
Git repository.
For instance, Calcite repository has site/fonts/ which have a license that
is incompatible with ASF source artifact restrictions.
If you put "source artifact license" to the root of apache/calcite
repository, people might assume that everything in apache/calcite is AL2
compatible.
Here's what I mean:
https://github.com/apache/calcite/blob/8581f0a3fe9a4f079cb4d36f02121ae22118714c/release/build.gradle.kts#L145-L157
Well, of course, you could just remove site/fonts from the Git repository,
whoever, that would paint us to a corner if we ever add a similar
dependency.
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
2. Apache policy, as I understand it, does allow images in source releases. Not sure about .min.js, but it isn’t binary.
I voted -1 because the release does not comply with policy. This isn’t the place to debate policy. (I am glad to see you weighed in on https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>; if you want to change policy, you could also consider posting to legal-discuss@.
3. Since the source release mirrors what is in source control, it is a reasonable expectation that the release process does not modify what is in source control. It is also reasonable that when I browse the source in GitHub I should see the same LICENSE file that will be in the source release.
I don’t think there’s any requirement or expectation that the release plugin should do the same for source and binary releases. (Technically there are no binary releases, just artifacts.) Making an artifact is a more complex process than creating a source tarball, involving downloading dependencies from Maven central etc., and so it makes sense that the license is also generated based on those artifacts.
Julian
> On Apr 8, 2021, at 12:56 AM, Vladimir Sitnikov <si...@gmail.com> wrote:
>
> Julian>2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too
>
> Removal of gradle-wrapper.jar creates problems, and it solves no real
> issues.
>
> Just in case, if you are to forbid binary files in the source release, then
> please clarify why do you allow
> the following binary files in the source release:
>
> /favicon.ico
> /site/img/feather.png
> /site/img/logo.png
> /site/js/html5shiv.min.js
> /site/js/respond.min.js
>
> ^^^ the above is not a joke. The files are binary, it is hard to verify if
> they contain backdoors or security issues.
> I literally can't tell if logo.png could hack a preview app in my OS.
> I can't re-create logo.png from text-like human-readable sources.
>
> Forsing users to do download Gradle manually makes it way harder to build
> Calcite (they would have to track the exact version).
> Even in the case users would download the proper Gradle version manually,
> they might miss verifying the integrity,
> so removal of gradle-wrapper.jar opens a possibility for supply-chain
> attacks (currently the wrapper is verified, and it verifies the retrieved
> Gradle).
> Automatic retrieval of gradle-wrapper.jar is hard to do in a secure manner.
> In case you missed it, Maven Wrapper did NOT verify the retrieved jar.
>
> At the same time, gradle-wrapper.jar can be verified:
> 1. There are the official checksums
> 2. Users can build their own gradle-wrapper.jar (e.g. from Gradle sources)
> and ensure the resulting jar matches exactly what is included in the release
>
> In other words, the inclusion of gradle-wrapper.jar makes it significantly
> more secure and easier to operate for the consumers.
> The ones who have a fear of jar files can unpack tar.gz and delete all the
> jars if any.
>
> Julian> My opinion is that neither the release plugin (nor the release
> manager) should be modifying source files.
>
> What do you suggest for the case when binary and source releases have
> different contents due to a different set of the embedded third-party
> dependencies?
>
> Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate 0)
Posted by Vladimir Sitnikov <si...@gmail.com>.
Julian>2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too
Removal of gradle-wrapper.jar creates problems, and it solves no real
issues.
Just in case, if you are to forbid binary files in the source release, then
please clarify why do you allow
the following binary files in the source release:
/favicon.ico
/site/img/feather.png
/site/img/logo.png
/site/js/html5shiv.min.js
/site/js/respond.min.js
^^^ the above is not a joke. The files are binary, it is hard to verify if
they contain backdoors or security issues.
I literally can't tell if logo.png could hack a preview app in my OS.
I can't re-create logo.png from text-like human-readable sources.
Forsing users to do download Gradle manually makes it way harder to build
Calcite (they would have to track the exact version).
Even in the case users would download the proper Gradle version manually,
they might miss verifying the integrity,
so removal of gradle-wrapper.jar opens a possibility for supply-chain
attacks (currently the wrapper is verified, and it verifies the retrieved
Gradle).
Automatic retrieval of gradle-wrapper.jar is hard to do in a secure manner.
In case you missed it, Maven Wrapper did NOT verify the retrieved jar.
At the same time, gradle-wrapper.jar can be verified:
1. There are the official checksums
2. Users can build their own gradle-wrapper.jar (e.g. from Gradle sources)
and ensure the resulting jar matches exactly what is included in the release
In other words, the inclusion of gradle-wrapper.jar makes it significantly
more secure and easier to operate for the consumers.
The ones who have a fear of jar files can unpack tar.gz and delete all the
jars if any.
Julian> My opinion is that neither the release plugin (nor the release
manager) should be modifying source files.
What do you suggest for the case when binary and source releases have
different contents due to a different set of the embedded third-party
dependencies?
Vladimir
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
1. Regarding the key. Even after doing
$ gpg --import ~/apache/dist/release/calcite/KEYS
I got the following error:
$ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
Julian
> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>
> Hey Julian,
>
> The key I used to sign the release is the same as the one in KEYS:
>
> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>
> For the 2 issues:
> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>
> Francis
>
> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>> Francis,
>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>> Two problems:
>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>> * LICENSE in the tar.gz differs from LICENSE in git
>> -1 (binding) due the above two problems.
>> Julian
>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>
>>> Hi all,
>>>
>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>> candidate 0.
>>>
>>> Thanks to everyone who has contributed to this release.
>>>
>>> You can read the release notes here:
>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>
>>> The commit to be voted upon:
>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>
>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>
>>> Tag:
>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>
>>> The artifacts to be voted on are located here:
>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>> (revision 46928)
>>>
>>> The hashes of the artifacts are as follows:
>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>
>>> A staged Maven repository is available for review at:
>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>
>>> Release artifacts are signed with the following key:
>>> https://people.apache.org/keys/committer/francischuang.asc
>>> https://www.apache.org/dist/calcite/KEYS
>>>
>>> N.B.
>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>
>>> If you do not have a Java environment available, you can run the tests
>>> using docker. To do so, install docker and docker-compose, then run
>>> "docker-compose run test" from the root of the directory.
>>>
>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>
>>> The vote is open for the next 72 hours and passes if a majority of at
>>> least three +1 PMC votes are cast.
>>>
>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>> [ ] -1 Do not release this package because...
>>>
>>>
>>> Here is my vote:
>>>
>>> +1 (binding)
>>>
>>> Francis
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Francis Chuang <fr...@apache.org>.
Hey Julian,
The key I used to sign the release is the same as the one in KEYS:
gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
For the 2 issues:
- The gradle-wrapper.jar issue probably affects calcite as well, so we
need to get this fixed in both repos.
- I believe the license is generated by the release plugin. I think
there was some discussion on the mailing list in the past, but I can't
find the threads for some reason.
Francis
On 8/04/2021 4:01 pm, Julian Hyde wrote:
> Francis,
>
> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>
> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>
> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>
> Two problems:
> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
> * LICENSE in the tar.gz differs from LICENSE in git
>
> -1 (binding) due the above two problems.
>
> Julian
>
>
>
>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>
>> Hi all,
>>
>> I have created a build for Apache Calcite Avatica 1.18.0, release
>> candidate 0.
>>
>> Thanks to everyone who has contributed to this release.
>>
>> You can read the release notes here:
>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>
>> The commit to be voted upon:
>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>
>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>
>> Tag:
>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>
>> The artifacts to be voted on are located here:
>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>> (revision 46928)
>>
>> The hashes of the artifacts are as follows:
>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>
>> A staged Maven repository is available for review at:
>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>
>> Release artifacts are signed with the following key:
>> https://people.apache.org/keys/committer/francischuang.asc
>> https://www.apache.org/dist/calcite/KEYS
>>
>> N.B.
>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>
>> If you do not have a Java environment available, you can run the tests
>> using docker. To do so, install docker and docker-compose, then run
>> "docker-compose run test" from the root of the directory.
>>
>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>
>> The vote is open for the next 72 hours and passes if a majority of at
>> least three +1 PMC votes are cast.
>>
>> [ ] +1 Release this package as Apache Calcite 1.18.0
>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>> [ ] -1 Do not release this package because...
>>
>>
>> Here is my vote:
>>
>> +1 (binding)
>>
>> Francis
>
>
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Posted by Julian Hyde <jh...@gmail.com>.
Francis,
Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
Two problems:
* tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
* LICENSE in the tar.gz differs from LICENSE in git
-1 (binding) due the above two problems.
Julian
> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>
> Hi all,
>
> I have created a build for Apache Calcite Avatica 1.18.0, release
> candidate 0.
>
> Thanks to everyone who has contributed to this release.
>
> You can read the release notes here:
> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>
> The commit to be voted upon:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>
> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>
> Tag:
> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>
> The artifacts to be voted on are located here:
> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
> (revision 46928)
>
> The hashes of the artifacts are as follows:
> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
> *apache-calcite-avatica-1.18.0-src.tar.gz
>
> A staged Maven repository is available for review at:
> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/francischuang.asc
> https://www.apache.org/dist/calcite/KEYS
>
> N.B.
> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>
> If you do not have a Java environment available, you can run the tests
> using docker. To do so, install docker and docker-compose, then run
> "docker-compose run test" from the root of the directory.
>
> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>
> The vote is open for the next 72 hours and passes if a majority of at
> least three +1 PMC votes are cast.
>
> [ ] +1 Release this package as Apache Calcite 1.18.0
> [ ] 0 I don't feel strongly about it, but I'm okay with the release
> [ ] -1 Do not release this package because...
>
>
> Here is my vote:
>
> +1 (binding)
>
> Francis