You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@parquet.apache.org by Zoltan Ivanfi <zi...@cloudera.com.INVALID> on 2019/04/29 18:05:16 UTC
Key signing (was: [VOTE] Release Apache Parquet 1.11.0 RC6)
Hi,
A video call sounds more secure to me than a photo which can be easily
manipulated. We could spend 5 minutes on it in the next Parquet sync
or alternatively is there someone already in the web of trust who
would volunteer to do a private video call with us before or after the
sync?
Thanks,
Zoltan
On Mon, Apr 29, 2019 at 7:52 PM Wes McKinney <we...@gmail.com> wrote:
>
> On Mon, Apr 29, 2019 at 12:48 PM Zoltan Ivanfi <zi...@cloudera.com.invalid> wrote:
> >
> > Hi,
> >
> > An excerpt from
> > https://www.apache.org/dev/release-signing#verifying-signature : "A
> > signature is valid, if gpg verifies the .asc as a good signature, and
> > doesn't complain about expired or revoked keys." Another excerpt from
> > https://www.apache.org/dev/release-signing#check-integrity that
> > reinforces that signing each other's keys is optional: "If you are
> > connected to the Apache web of trust then this also offers superior
> > security."
> >
> > That being said I support signing each other's keys. Of course, you
> > will still need one key somewhere along the signing chain that you
> > trust. I see that a few PMC members have signed keys, how should we
> > approach this task? The HOWTO suggests public conferences and key
> > signing parties, but I hope there is a way to do that remotely. Would
> > members who are already in the web of trust feel comfortable signing
> > our keys based the on the following?
> >
> > - Our keys have been committed to the central KEYS file using our
> > apache credentials.
> > - We could personally confirm this in the next Parquet sync.
> > - We could even read the key ID-s out loud if needed.
> >
>
> In person is best (if it is a person whose identity you are sure of),
> for people I know personally what I've done to sign their key remotely
> is have them write down the PGP fingerprint and show the paper to me
> in a photograph of themselves or in a video call. I don't know whether
> this is a good security practice but it seems better than doing things
> over e-mail =)
>
> - Wes
>
> > Br,
> >
> > Zoltan
> >
> >
> > On Mon, Apr 29, 2019 at 7:11 PM Zoltan Ivanfi <zi...@cloudera.com> wrote:
> > >
> > > Hi Wes,
> > >
> > > Gabor's key is in the KEYS file available at https://dist.apache.org/repos/dist/dev/parquet/KEYS Others may correct me if I'm mistaken, but as far as I know, this is all that is required. I mentioned this in the verification steps as well ("4. Verify the signature by running `gpg --verify apache-parquet-1.11.0.tar.gz.asc`. It should say "Good signature", the warning about the key not being trusted can be ignored"). My signing key is also unsigned, because instead of signing each other's keys we depend on the fact that only privileged users can put their key into the central KEYS file.
> > >
> > > Br,
> > >
> > > Zoltan
> > >
> > > On Mon, Apr 29, 2019 at 6:46 PM Wes McKinney <we...@gmail.com> wrote:
> > >>
> > >> -1
> > >>
> > >> Gabor's PGP key is unsigned.
> > >>
> > >> $ gpg --verify apache-parquet-1.11.0.tar.gz.asc
> > >> gpg: assuming signed data in 'apache-parquet-1.11.0.tar.gz'
> > >> gpg: Signature made Tue 19 Mar 2019 08:55:48 AM CDT
> > >> gpg: using RSA key 6FB82970311551C7CEF131F5021057DBF048F543
> > >> gpg: Good signature from "Gabor Szadovszky <ga...@apache.org>" [unknown]
> > >> gpg: WARNING: This key is not certified with a trusted signature!
> > >> gpg: There is no indication that the signature belongs to the owner.
> > >> Primary key fingerprint: 6FB8 2970 3115 51C7 CEF1 31F5 0210 57DB F048 F543
> > >>
> > >> On Tue, Apr 16, 2019 at 4:10 AM Gabor Szadovszky <ga...@apache.org> wrote:
> > >> >
> > >> > Based on our release process (
> > >> > http://parquet.apache.org/documentation/how-to-release/) and the related
> > >> > scripts we use the final tag for an RC. So, the existence of this tag does
> > >> > not mean 1.11.0 is released.
> > >> > However, I agree this is misleading and not a good practice to remove
> > >> > already committed tags and re-add them to another place (when a new RC
> > >> > comes out). I think, we should update our release process to use RC tags
> > >> > and put the final tag only after it is officially released. But it is the
> > >> > story of the next release...
> > >> >
> > >> >
> > >> > On Sat, Apr 13, 2019 at 8:00 PM 俊杰陈 <cj...@gmail.com> wrote:
> > >> >
> > >> > > From the github release page, I see the 1.11.0 already released. Is it
> > >> > > still a rc version?
> > >> > > https://github.com/apache/parquet-mr/releases/tag/apache-parquet-1.11.0
> > >> > >
> > >> > > On Fri, Apr 12, 2019 at 8:10 AM Ryan Blue <rb...@netflix.com.invalid>
> > >> > > wrote:
> > >> > >
> > >> > > > Personally, I haven't had enough time to devote to Parquet lately and
> > >> > > that
> > >> > > > means I haven't validated that this release's new features are okay to
> > >> > > > release. I'm hoping sometime in the next few weeks I'll be able to vote
> > >> > > on
> > >> > > > this.
> > >> > > >
> > >> > > > On Thu, Apr 11, 2019 at 1:23 PM Andy Grove <An...@rms.com> wrote:
> > >> > > >
> > >> > > > > I'm curious if there is any update on this vote? The thread seems
> > >> > > eerily
> > >> > > > > quiet.
> > >> > > > >
> > >> > > > > Thanks.
> > >> > > > >
> > >> > > > > On 4/3/19, 10:38 AM, "Andy Grove" <An...@rms.com> wrote:
> > >> > > > >
> > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL
> > >> > > > >
> > >> > > > >
> > >> > > > > I have been able to run mvn verify and have also tested this RC
> > >> > > > > against our internal systems, with no issue.
> > >> > > > >
> > >> > > > > +1 (non-binding)
> > >> > > > >
> > >> > > > > I have raised the issue about Hadoop-lzo, but that is present in
> > >> > > the
> > >> > > > > 1.10.1 release also.
> > >> > > > >
> > >> > > > > Andy.
> > >> > > > >
> > >> > > > >
> > >> > > > > On 3/20/19, 7:50 AM, "Zoltan Ivanfi" <zi...@cloudera.com.INVALID>
> > >> > > > wrote:
> > >> > > > >
> > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL
> > >> > > > >
> > >> > > > >
> > >> > > > > +1 (binding)
> > >> > > > >
> > >> > > > > signature matches
> > >> > > > > git hash matches the git tag
> > >> > > > > source tarball matches the git tag
> > >> > > > > unit tests and integration tests pass
> > >> > > > >
> > >> > > > > On Tue, Mar 19, 2019 at 3:00 PM Gabor Szadovszky <
> > >> > > > gabor@apache.org>
> > >> > > > > wrote:
> > >> > > > >
> > >> > > > > > Dear Parquet Users and Developers,
> > >> > > > > >
> > >> > > > > > I propose the following RC to be released as the official
> > >> > > > Apache
> > >> > > > > > Parquet 1.11.0 release:
> > >> > > > > >
> > >> > > > > > The commit id is 9756b0e2b35437a09716707a81e2ac0c187112ed
> > >> > > > > > * This corresponds to the tag: apache-parquet-1.11.0
> > >> > > > > > *
> > >> > > > > >
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fparquet-mr%2Ftree%2F9756b0e2b35437a09716707a81e2ac0c187112ed&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=v6kHzIIpJQp%2Fq7fuR%2ByHVwGV7vZ7lUKupyqKZwmQeFI%3D&reserved=0
> > >> > > > > >
> > >> > > > > > The release tarball, signature, and checksums are here:
> > >> > > > > > *
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2Fapache-parquet-1.11.0-rc6%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=RVlztCju4ZoZz5vnF8f5RxE7kPmZoKMj3Ipo4x0Aj4k%3D&reserved=0
> > >> > > > > >
> > >> > > > > > You can find the KEYS file here:
> > >> > > > > > *
> > >> > > > >
> > >> > > >
> > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2FKEYS&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=8xPAIJ4EkJPXXxZ2hTH%2BuJOtCOrCspYXkjsl%2B44Jb20%3D&reserved=0
> > >> > > > > >
> > >> > > > > > Binary artifacts are staged in Nexus here:
> > >> > > > > > *
> > >> > > > > >
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepository.apache.org%2Fcontent%2Fgroups%2Fstaging%2Forg%2Fapache%2Fparquet%2Fparquet%2F1.11.0%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342868310&sdata=%2FIW9qYFnwvuL7QgkrYxX%2BZWJ1fcaZz%2Bq1tRJWKfQERU%3D&reserved=0
> > >> > > > > >
> > >> > > > > > This release includes the following new features:
> > >> > > > > > - PARQUET-1201 - Column indexes
> > >> > > > > > - PARQUET-1253 - Support for new logical type representation
> > >> > > > > > - PARQUET-1381 - Add merge blocks command to parquet-tools
> > >> > > > > > - PARQUET-1388 - Nanosecond precision time and timestamp -
> > >> > > > > parquet-mr
> > >> > > > > >
> > >> > > > > > The release also includes bug fixes, including:
> > >> > > > > > - PARQUET-1472: Dictionary filter fails on
> > >> > > > FIXED_LEN_BYTE_ARRAY.
> > >> > > > > > - PARQUET-1510: Fix notEq for optional columns with null
> > >> > > > values.
> > >> > > > > > - PARQUET-1533: TestSnappy() throws OOM exception with
> > >> > > > > Parquet-1485 change
> > >> > > > > > - PARQUET-1531: Page row count limit causes empty pages to be
> > >> > > > > written from
> > >> > > > > > MessageColumnIO
> > >> > > > > > - PARQUET-1544: Possible over-shading of modules
> > >> > > > > >
> > >> > > > > > The following change has been reverted so it is not part of
> > >> > > any
> > >> > > > > public
> > >> > > > > > release:
> > >> > > > > > - PARQUET-1381: Add merge blocks command to parquet-tools
> > >> > > > > >
> > >> > > > > > Please download, verify, and test. The vote will be open for
> > >> > > at
> > >> > > > > least 72
> > >> > > > > > hours.
> > >> > > > > >
> > >> > > > > > Thanks,
> > >> > > > > > Gabor
> > >> > > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > >
> > >> > > > --
> > >> > > > Ryan Blue
> > >> > > > Software Engineer
> > >> > > > Netflix
> > >> > > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Thanks & Best Regards
> > >> > >