You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@accumulo.apache.org by Christopher <ct...@apache.org> on 2014/09/25 21:33:03 UTC

Re: [accumulo] your /dist/ artifacts - 1 BAD signature

[note: thread moved to dev@]

Okay, I just confirmed that the current files in dist are the same ones in
Maven Central are the same ones that we voted on. So, that issue is
resolved. I double checked and saw that the gpg-signed tag hasn't been
created for 1.6.1 (git tag -s 1.6.1 origin/1.6.1-rc1). I guess technically
anybody could do this, and merge it (along with the version bump to
1.6.2-SNAPSHOT commit) to 1.6.2-SNAPSHOT branch (and forward, with -sours),
if Corey doesn't have time/gets busy.


--
Christopher L Tubbs II
http://gravatar.com/ctubbsii

On Thu, Sep 25, 2014 at 2:21 PM, Corey Nolet <cj...@gmail.com> wrote:

> There's still a few things I need to do before announcing the release to
> the user list. Merging the rc into the next version branch was one of them
> and creating the official release tag was another. I'll do these tonight as
> well as writing up the release notes for the site.
>
>
> On Thu, Sep 25, 2014 at 1:59 PM, Christopher <ct...@apache.org> wrote:
>
> > Also, we can move this list to dev@. There's no reason for it to be
> > private@
> > .
> >
> >
> > --
> > Christopher L Tubbs II
> > http://gravatar.com/ctubbsii
> >
> > On Thu, Sep 25, 2014 at 1:59 PM, Christopher <ct...@apache.org>
> wrote:
> >
> > > There's one more problem that Keith and I found... it doesn't look like
> > > the rc1 branch got merged to 1.6.2-SNAPSHOT. I don't know if some other
> > > branch got accidentally merged instead.
> > >
> > >
> > > --
> > > Christopher L Tubbs II
> > > http://gravatar.com/ctubbsii
> > >
> > > On Thu, Sep 25, 2014 at 1:40 PM, Josh Elser <jo...@gmail.com>
> > wrote:
> > >
> > >> Things look good to me now. I checked the artifacts on dist/ against
> > what
> > >> I have from evaluating the RC and they appear to match.
> > >>
> > >> Anything else we need to do here?
> > >>
> > >>
> > >> Christopher wrote:
> > >>
> > >>> I was able to confirm the signature is bad. When I checked the RC,
> the
> > >>> signature was good, so I'm guessing the wrong one just got uploaded.
> I
> > >>> don't have a copy of the RC that I had previously downloaded, but I
> was
> > >>> able to grab a copy of what was deployed to Maven central and fix the
> > >>> dist
> > >>> sigs/checksums from that.
> > >>>
> > >>> Now, it's possible that the wrong artifacts were uploaded to Maven
> > >>> central
> > >>> (perhaps the wrong staging repo was promoted?) I can't know that for
> > >>> sure,
> > >>> until I can get to work and check my last download from the RC vote
> and
> > >>> compare with what's in Maven central now. If that is the case, then
> we
> > >>> need
> > >>> to determine precisely what is different from this upload and what
> was
> > >>> voted on and see if we need to immediately re-release as 1.6.2 to fix
> > the
> > >>> problems.
> > >>>
> > >>>
> > >>> --
> > >>> Christopher L Tubbs II
> > >>> http://gravatar.com/ctubbsii
> > >>>
> > >>> On Thu, Sep 25, 2014 at 3:12 AM, Henk Penning<he...@apache.org>
> > wrote:
> > >>>
> > >>>  Hi PMC accumulo,
> > >>>>
> > >>>>    I watch 'www.apache.org/dist/', and I noticed that :
> > >>>>
> > >>>>    -- you have 1 BAD pgp signature
> > >>>>
> > >>>>         accumulo/1.6.1/accumulo-1.6.1-src.tar.gz.asc
> > >>>>
> > >>>>    Please fix this problem soon ; for details, see
> > >>>>
> > >>>>
> > http://people.apache.org/~henkp/checker/sig.html#project-accumulo
> > >>>>      http://people.apache.org/~henkp/checker/md5.html
> > >>>>
> > >>>>    For information on how to fix problems, see the faq :
> > >>>>
> > >>>>      http://people.apache.org/~henkp/checker/faq.html
> > >>>>
> > >>>>    Thanks a lot, regards,
> > >>>>
> > >>>>    Henk Penning -- apache.org infrastructure
> > >>>>
> > >>>>    PS. The contents of this message is generated,
> > >>>>        but the mail itself is sent "by hand".
> > >>>>    PS. Please cc me on all relevant emails.
> > >>>>
> > >>>> ---------------------------------------------------------   _
> > >>>> Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ _
> > >>>> Faculty of Science, Utrecht University T +31 30 253 4106 / _/
> > >>>> Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 _/ _/
> > >>>> http://people.cs.uu.nl/henkp/          M penning@uu.nl     _/
> > >>>>
> > >>>>
> > >>>
> > >
> >
>

Re: [accumulo] your /dist/ artifacts - 1 BAD signature

Posted by Corey Nolet <cj...@gmail.com>.

I see what happened. I was expecting the mvn:release plugin to push the
"prepare for next development iteration" which it did not. I just pushed it
up and created the tag. I'll work on the release notes in a bit.

On Thu, Sep 25, 2014 at 3:33 PM, Christopher <ct...@apache.org> wrote:

> [note: thread moved to dev@]
>
> Okay, I just confirmed that the current files in dist are the same ones in
> Maven Central are the same ones that we voted on. So, that issue is
> resolved. I double checked and saw that the gpg-signed tag hasn't been
> created for 1.6.1 (git tag -s 1.6.1 origin/1.6.1-rc1). I guess technically
> anybody could do this, and merge it (along with the version bump to
> 1.6.2-SNAPSHOT commit) to 1.6.2-SNAPSHOT branch (and forward, with -sours),
> if Corey doesn't have time/gets busy.
>
>
> --
> Christopher L Tubbs II
> http://gravatar.com/ctubbsii
>
> On Thu, Sep 25, 2014 at 2:21 PM, Corey Nolet <cj...@gmail.com> wrote:
>
> > There's still a few things I need to do before announcing the release to
> > the user list. Merging the rc into the next version branch was one of
> them
> > and creating the official release tag was another. I'll do these tonight
> as
> > well as writing up the release notes for the site.
> >
> >
> > On Thu, Sep 25, 2014 at 1:59 PM, Christopher <ct...@apache.org>
> wrote:
> >
> > > Also, we can move this list to dev@. There's no reason for it to be
> > > private@
> > > .
> > >
> > >
> > > --
> > > Christopher L Tubbs II
> > > http://gravatar.com/ctubbsii
> > >
> > > On Thu, Sep 25, 2014 at 1:59 PM, Christopher <ct...@apache.org>
> > wrote:
> > >
> > > > There's one more problem that Keith and I found... it doesn't look
> like
> > > > the rc1 branch got merged to 1.6.2-SNAPSHOT. I don't know if some
> other
> > > > branch got accidentally merged instead.
> > > >
> > > >
> > > > --
> > > > Christopher L Tubbs II
> > > > http://gravatar.com/ctubbsii
> > > >
> > > > On Thu, Sep 25, 2014 at 1:40 PM, Josh Elser <jo...@gmail.com>
> > > wrote:
> > > >
> > > >> Things look good to me now. I checked the artifacts on dist/ against
> > > what
> > > >> I have from evaluating the RC and they appear to match.
> > > >>
> > > >> Anything else we need to do here?
> > > >>
> > > >>
> > > >> Christopher wrote:
> > > >>
> > > >>> I was able to confirm the signature is bad. When I checked the RC,
> > the
> > > >>> signature was good, so I'm guessing the wrong one just got
> uploaded.
> > I
> > > >>> don't have a copy of the RC that I had previously downloaded, but I
> > was
> > > >>> able to grab a copy of what was deployed to Maven central and fix
> the
> > > >>> dist
> > > >>> sigs/checksums from that.
> > > >>>
> > > >>> Now, it's possible that the wrong artifacts were uploaded to Maven
> > > >>> central
> > > >>> (perhaps the wrong staging repo was promoted?) I can't know that
> for
> > > >>> sure,
> > > >>> until I can get to work and check my last download from the RC vote
> > and
> > > >>> compare with what's in Maven central now. If that is the case, then
> > we
> > > >>> need
> > > >>> to determine precisely what is different from this upload and what
> > was
> > > >>> voted on and see if we need to immediately re-release as 1.6.2 to
> fix
> > > the
> > > >>> problems.
> > > >>>
> > > >>>
> > > >>> --
> > > >>> Christopher L Tubbs II
> > > >>> http://gravatar.com/ctubbsii
> > > >>>
> > > >>> On Thu, Sep 25, 2014 at 3:12 AM, Henk Penning<he...@apache.org>
> > > wrote:
> > > >>>
> > > >>>  Hi PMC accumulo,
> > > >>>>
> > > >>>>    I watch 'www.apache.org/dist/', and I noticed that :
> > > >>>>
> > > >>>>    -- you have 1 BAD pgp signature
> > > >>>>
> > > >>>>         accumulo/1.6.1/accumulo-1.6.1-src.tar.gz.asc
> > > >>>>
> > > >>>>    Please fix this problem soon ; for details, see
> > > >>>>
> > > >>>>
> > > http://people.apache.org/~henkp/checker/sig.html#project-accumulo
> > > >>>>      http://people.apache.org/~henkp/checker/md5.html
> > > >>>>
> > > >>>>    For information on how to fix problems, see the faq :
> > > >>>>
> > > >>>>      http://people.apache.org/~henkp/checker/faq.html
> > > >>>>
> > > >>>>    Thanks a lot, regards,
> > > >>>>
> > > >>>>    Henk Penning -- apache.org infrastructure
> > > >>>>
> > > >>>>    PS. The contents of this message is generated,
> > > >>>>        but the mail itself is sent "by hand".
> > > >>>>    PS. Please cc me on all relevant emails.
> > > >>>>
> > > >>>> ---------------------------------------------------------   _
> > > >>>> Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ _
> > > >>>> Faculty of Science, Utrecht University T +31 30 253 4106 / _/
> > > >>>> Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 _/ _/
> > > >>>> http://people.cs.uu.nl/henkp/          M penning@uu.nl     _/
> > > >>>>
> > > >>>>
> > > >>>
> > > >
> > >
> >
>