You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by Julian Hyde <jh...@gmail.com> on 2021/05/10 20:25:30 UTC
Re: [VOTE] Release apache-calcite-avatica-1.18.0 (release candidate
0)
Francis,
This vote has been open for over a month. As release manager, do you have the information necessary to cancel the vote or announce a result? We need to move on.
Julian
> On Apr 20, 2021, at 3:32 PM, Francis Chuang <fr...@apache.org> wrote:
>
> Hey Josh,
>
> I believe the short key id uses the last 8 characters of the key id.
>
> This is the output when listing my secret keys:
> ❯ gpg --list-secret-keys
> /home/francis/.gnupg/pubring.kbx
> --------------------------------
> sec rsa4096 2018-04-16 [SC]
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> uid [ultimate] Francis Chuang <fr...@a....org>
> ssb rsa4096 2018-04-16 [E]
>
> This is the entry in KEYS:
> -----END PGP PUBLIC KEY BLOCK-----
>
> pub rsa4096/3A970AB7 2018-04-16 [SC]
> uid [ultimate] Francis Chuang <fr...@a....org>
> sig 3 3A970AB7 2018-04-16 Francis Chuang <fr...@apache.org>
> sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY) <jh...@a....org>
> sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR) <ka...@g....com>
> sub rsa4096/34BCCFB3 2018-04-16 [E]
> sig 3A970AB7 2018-04-16 Francis Chuang <fr...@a....org>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> The last 8 characters of they key id in both short and long formats match:
> 635665E0BE3F72552910CB74BBE44E923A970AB7
> 3A970AB7
>
> Francis
>
> On 21/04/2021 4:14 am, Josh Elser wrote:
>> Uh, I'm confused too and seeing the same thing that Julian saw.
>> The key 635665E0 does not exist in the https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is 3A970AB7.
>> I don't see this key in pgp.mit.edu when I search, either. I can't seem to find a server which responds to do a `gpg --search-key` either.
>> Vladimir -- were you able to validate the signature? If so, do you have this key in `gpg --fingerprint`?
>> On 4/8/21 1:59 PM, Julian Hyde wrote:
>>> Makes sense. I am forever confused by signing & keys. If other people have no concerns, then I’m fine.
>>>
>>>> On Apr 8, 2021, at 1:43 AM, Francis Chuang <fr...@apache.org> wrote:
>>>>
>>>> Regarding the key, I wonder if it's because my key was only signed by 2 other individuals. See here [1] and here [2].
>>>>
>>>> [1] https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
>>>> [2] https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
>>>>
>>>> On 8/04/2021 5:08 pm, Julian Hyde wrote:
>>>>> 1. Regarding the key. Even after doing
>>>>> $ gpg --import ~/apache/dist/release/calcite/KEYS
>>>>> I got the following error:
>>>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
>>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>> gpg: Good signature from "Francis Chuang <fr...@apache.org>" [unknown]
>>>>> gpg: WARNING: This key is not certified with a trusted signature!
>>>>> gpg: There is no indication that the signature belongs to the owner.
>>>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
>>>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
>>>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files.
>>>>> Julian
>>>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>>
>>>>>> Hey Julian,
>>>>>>
>>>>>> The key I used to sign the release is the same as the one in KEYS:
>>>>>>
>>>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
>>>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
>>>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
>>>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
>>>>>> gpg: Good signature from "Francis Chuang <fr...@a.o>" [ultimate]
>>>>>>
>>>>>> For the 2 issues:
>>>>>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need to get this fixed in both repos.
>>>>>> - I believe the license is generated by the release plugin. I think there was some discussion on the mailing list in the past, but I can't find the threads for some reason.
>>>>>>
>>>>>> Francis
>>>>>>
>>>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote:
>>>>>>> Francis,
>>>>>>> Thank you for getting this release done. We lost momentum and I appreciate you pushing through.
>>>>>>> Is this a different key than your existing key in KEYS? If so can you add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? <https://dist.apache.org/repos/dist/release/calcite/KEYS?>
>>>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
>>>>>>> Two problems:
>>>>>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently became aware that this is a breach of Apache release policy; see https://issues.apache.org/jira/browse/LEGAL-288 <https://issues.apache.org/jira/browse/LEGAL-288>.
>>>>>>> * LICENSE in the tar.gz differs from LICENSE in git
>>>>>>> -1 (binding) due the above two problems.
>>>>>>> Julian
>>>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <fr...@apache.org> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release
>>>>>>>> candidate 0.
>>>>>>>>
>>>>>>>> Thanks to everyone who has contributed to this release.
>>>>>>>>
>>>>>>>> You can read the release notes here:
>>>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
>>>>>>>>
>>>>>>>> The commit to be voted upon:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6
>>>>>>>>
>>>>>>>> Tag:
>>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
>>>>>>>>
>>>>>>>> The artifacts to be voted on are located here:
>>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
>>>>>>>> (revision 46928)
>>>>>>>>
>>>>>>>> The hashes of the artifacts are as follows:
>>>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
>>>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz
>>>>>>>>
>>>>>>>> A staged Maven repository is available for review at:
>>>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
>>>>>>>>
>>>>>>>> Release artifacts are signed with the following key:
>>>>>>>> https://people.apache.org/keys/committer/francischuang.asc
>>>>>>>> https://www.apache.org/dist/calcite/KEYS
>>>>>>>>
>>>>>>>> N.B.
>>>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease -PskipSign".
>>>>>>>>
>>>>>>>> If you do not have a Java environment available, you can run the tests
>>>>>>>> using docker. To do so, install docker and docker-compose, then run
>>>>>>>> "docker-compose run test" from the root of the directory.
>>>>>>>>
>>>>>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
>>>>>>>>
>>>>>>>> The vote is open for the next 72 hours and passes if a majority of at
>>>>>>>> least three +1 PMC votes are cast.
>>>>>>>>
>>>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0
>>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release
>>>>>>>> [ ] -1 Do not release this package because...
>>>>>>>>
>>>>>>>>
>>>>>>>> Here is my vote:
>>>>>>>>
>>>>>>>> +1 (binding)
>>>>>>>>
>>>>>>>> Francis
>>>