You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@corinthia.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2015/08/14 18:23:31 UTC

[DISCUSS][PRE-VOTE] Release candidate 0.1

Please provide an authoritative ASF location of the public key to use for checking the signature.  It would be something like a continuously verified key on this list: <https://people.apache.org/keys/committer/>.  (This establishes both the name of the ASF committer who possesses the signature and that the key has not been revoked.)

How will that be made known to reviewers and downloaders of the Release Candidate?

 - Dennis

----- Failure Output -----
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\GNU\GnuPG>gpg2 d:\Apache\corinthia\rc\incubator-corinthia
_release_0.1.zip.asc
gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA key ID 577
E7412
gpg: Can't check signature: No public key

C:\Program Files (x86)\GNU\GnuPG>

RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by "Dennis E. Hamilton" <de...@acm.org>.

The source of the key, and whose it is, must be removed from private knowledge, since this is intended for users of the release who are not on the project.  Those who obtain the release from the Apache location for it will not be subscribers to dev@ or necessarily have any other source of information and are not expected to have to search dev@ for essential information.

The point is that KEYS is part of the documented practice for releases and reviewers will look for it. 

That is the last time I will say that here.

I am attempting to support this release being successful on Apache terms.  I would like that understood.  

 - Dennis



-----Original Message-----
From: Peter Kelly [mailto:pmkelly@apache.org] 
Sent: Tuesday, August 18, 2015 22:49
To: dev@corinthia.incubator.apache.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

[ ... ]

Or we could just use Jan’s public key as has been discussed ad infinitum on the list already.

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 19 Aug 2015, at 4:04 am, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> I did some digging into the release and release-review procedures and I noticed that one practice is to place a KEYS file in the same folder as the release candidates (and then the release folder) on the Apache site where the candidates are stored.  This would include at least the public key that can be used to verify the .asc digital signature on the RC.
> 
> I think that can be done now, even with [VOTE]ing in progress, because it is not about the substance of the [VOTE].

Or we could just use Jan’s public key as has been discussed ad infinitum on the list already.

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 19 Aug 2015, at 4:04 am, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> I did some digging into the release and release-review procedures and I noticed that one practice is to place a KEYS file in the same folder as the release candidates (and then the release folder) on the Apache site where the candidates are stored.  This would include at least the public key that can be used to verify the .asc digital signature on the RC.
> 
> I think that can be done now, even with [VOTE]ing in progress, because it is not about the substance of the [VOTE].

I wish you had raised this during the discussion period, because we’ve already started on the vote, and what I (and possibly others, by I can only speak for myself) have based my vote on is am I happy with this *exact* release. I don’t agree with making changes or additions to the release artefacts (however small) once a vote has begun. If enough people consider the lack of a KEYS file to be a sufficiently major problem, then they are free to vote -1 and then we can make changes and start another [VOTE]. Keep in mind this is the very first release, we have plenty of opportunities to change thing in the second and subsequent releases.

I’d be interested to see a link to the official policy which states that this is required; I haven’t been able to find any reference to it. I had a brief look through the release directories of other projects and found the file in some but not others. If it turns out it is officially required, well, we can fix it.

I’m keen to get this release out and into IPMC’s hands for a vote, as it’s possible there may be other issues we need to fix. If this is the case, i’d prefer to get a list of them, and fix them all in one go, rather than aborting/restarting [VOTE]s after the discussion period as they are fixed one by one.

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I did some digging into the release and release-review procedures and I noticed that one practice is to place a KEYS file in the same folder as the release candidates (and then the release folder) on the Apache site where the candidates are stored.  This would include at least the public key that can be used to verify the .asc digital signature on the RC.

I think that can be done now, even with [VOTE]ing in progress, because it is not about the substance of the [VOTE].

 - Dennis

-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] 
Sent: Friday, August 14, 2015 11:12
To: dev@corinthia.incubator.apache.org
Subject: RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

I'm sorry that my question was unclear.  It was not that I didn't know how to find Jan's public key.  My question is how any third party could determine who the release manager is and how to find an authentic version of that committer's public key for verifying the signature on an alleged release (candidate).

I know how to find that public key, although apparently it does not correspond to the private key that was used [;<).

 - Dennis

-----Original Message-----
From: Peter Kelly [mailto:pmkelly@apache.org] 
Sent: Friday, August 14, 2015 10:22
To: dev@corinthia.incubator.apache.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

> On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> Please provide an authoritative ASF location of the public key to use for checking the signature.  It would be something like a continuously verified key on this list: <https://people.apache.org/keys/committer/>.

https://people.apache.org/keys/committer/jani.asc

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

On 14 August 2015 at 20:11, Dennis E. Hamilton <de...@acm.org>
wrote:

> I'm sorry that my question was unclear.  It was not that I didn't know how
> to find Jan's public key.  My question is how any third party could
> determine who the release manager is and how to find an authentic version
> of that committer's public key for verifying the signature on an alleged
> release (candidate).
>
Well it is easy, try to verify the zip file, then it will tell you my name.
Some projects to also add a KEYS files on dist together with the release,
it is something we can consider.

>
> I know how to find that public key, although apparently it does not
> correspond to the private key that was used [;<).
>
it does now, follow the guide I wrote to you. It also did before, if you
downloaded from the keys server.
(seems you have an old asc file).

rgds
jan i.


>
>  - Dennis
>
> -----Original Message-----
> From: Peter Kelly [mailto:pmkelly@apache.org]
> Sent: Friday, August 14, 2015 10:22
> To: dev@corinthia.incubator.apache.org
> Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1
>
> > On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <de...@acm.org>
> wrote:
> >
> > Please provide an authoritative ASF location of the public key to use
> for checking the signature.  It would be something like a continuously
> verified key on this list: <https://people.apache.org/keys/committer/>.
>
> https://people.apache.org/keys/committer/jani.asc
>
> —
> Dr Peter M. Kelly
> pmkelly@apache.org
>
> PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
>
>
>

RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I'm sorry that my question was unclear.  It was not that I didn't know how to find Jan's public key.  My question is how any third party could determine who the release manager is and how to find an authentic version of that committer's public key for verifying the signature on an alleged release (candidate).

I know how to find that public key, although apparently it does not correspond to the private key that was used [;<).

 - Dennis

-----Original Message-----
From: Peter Kelly [mailto:pmkelly@apache.org] 
Sent: Friday, August 14, 2015 10:22
To: dev@corinthia.incubator.apache.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

> On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> Please provide an authoritative ASF location of the public key to use for checking the signature.  It would be something like a continuously verified key on this list: <https://people.apache.org/keys/committer/>.

https://people.apache.org/keys/committer/jani.asc

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> Please provide an authoritative ASF location of the public key to use for checking the signature.  It would be something like a continuously verified key on this list: <https://people.apache.org/keys/committer/>.

https://people.apache.org/keys/committer/jani.asc

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

My error, seems the default signing on my notebook was wrong (I will later
update id.a.o to have both keys).

I have generated a new asc file based on key CB94DE73. Which is the one you
find on people.

Sorry for the inconvenience.

rgds
jan i.


On 14 August 2015 at 18:47, jan i <ja...@apache.org> wrote:

> you never know, so I went on and tested on my azura vm:
>
>
> C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
> .\incubator-corinthia_release_0.1.zip.asc
> gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
> gpg: Good signature from "jan iversen <ja...@gmail.com>"
>
> Could it be a setup problem on your side ?
>
> rgds
> jan I.
>
>
> On 14 August 2015 at 18:44, jan i <ja...@apache.org> wrote:
>
>>
>>
>> On Friday, August 14, 2015, Dennis E. Hamilton <de...@acm.org>
>> wrote:
>>
>>> Please provide an authoritative ASF location of the public key to use
>>> for checking the signature.  It would be something like a continuously
>>> verified key on this list: <https://people.apache.org/keys/committer/>.
>>> (This establishes both the name of the ASF committer who possesses the
>>> signature and that the key has not been revoked.)
>>
>>
>> ????? if you look there you will see my key.
>>
>> This is done automatically when you add your key to id.a.o
>>
>>
>>
>>>
>>> How will that be made known to reviewers and downloaders of the Release
>>> Candidate?
>>
>> well people.a.o/keys/committer is the official place, my key is
>> furthermore uploaded on a couple of key servers.
>>
>> rgds
>> jan i
>>
>>>
>>>  - Dennis
>>>
>>> ----- Failure Output -----
>>> Microsoft Windows [Version 10.0.10240]
>>> (c) 2015 Microsoft Corporation. All rights reserved.
>>>
>>> C:\Program Files (x86)\GNU\GnuPG>gpg2
>>> d:\Apache\corinthia\rc\incubator-corinthia
>>> _release_0.1.zip.asc
>>> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA
>>> key ID 577
>>> E7412
>>> gpg: Can't check signature: No public key
>>>
>>> C:\Program Files (x86)\GNU\GnuPG>
>>>
>>>
>>>
>>>
>>
>> --
>> Sent from My iPad, sorry for any misspellings.
>>
>
>

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

On 14 August 2015 at 19:34, Dennis E. Hamilton <de...@acm.org>
wrote:

> I think it looks good to you because you signed it and you have the public
> key.
>
> I obviously do not have the public key of the signer.
>
well you need to add that to your own keyring.

you can do that by using:
gpg --keyserver hkp://keys.gnupg.net --recv-keys CB94DE73
or downloading jani.asc and importing it.


>
> Furthermore, nowhere am I told that I need yours.  I am reviewing this as
> someone who is not on the project.  Somewhere, it must be specified what
> public key is needed and how to obtain it from a safe place.  That is what
> I am asking for.
>
you could read about how gpg works, that is not something we should
document.

>
> What is the information that an outsider needs in order to know who is the
> release manager/signer is and how to find an authentic public key for that
> committer?
>
> When that information is provided, I can proceed with any review of the
> source zip.
>
I do not understand that relationship, you can download the zip file and
control the content, without looking at the asc file. The zip file is ready
to open and use.

rgds
jan i.


>
> Thanks,
>
>  - Dennis
>
> -----Original Message-----
> From: jan i [mailto:jani@apache.org]
> Sent: Friday, August 14, 2015 09:47
> To: jan i <ja...@apache.org>
> Cc: dev@corinthia.incubator.apache.org; dennis.hamilton@acm.org
> Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1
>
> you never know, so I went on and tested on my azura vm:
>
>
> C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
> .\incubator-corinthia_release_0.1.zip.asc
> gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
> gpg: Good signature from "jan iversen <ja...@gmail.com>"
>
> Could it be a setup problem on your side ?
>
> rgds
> jan I.
>
>
> On 14 August 2015 at 18:44, jan i <ja...@apache.org> wrote:
>
> >
> >
> > On Friday, August 14, 2015, Dennis E. Hamilton <de...@acm.org>
> > wrote:
> >
> >> Please provide an authoritative ASF location of the public key to use
> for
> >> checking the signature.  It would be something like a continuously
> verified
> >> key on this list: <https://people.apache.org/keys/committer/>.  (This
> >> establishes both the name of the ASF committer who possesses the
> signature
> >> and that the key has not been revoked.)
> >
> >
> > ????? if you look there you will see my key.
> >
> > This is done automatically when you add your key to id.a.o
> >
> >
> >
> >>
> >> How will that be made known to reviewers and downloaders of the Release
> >> Candidate?
> >
> > well people.a.o/keys/committer is the official place, my key is
> > furthermore uploaded on a couple of key servers.
> >
> > rgds
> > jan i
> >
> >>
> >>  - Dennis
> >>
> >> ----- Failure Output -----
> >> Microsoft Windows [Version 10.0.10240]
> >> (c) 2015 Microsoft Corporation. All rights reserved.
> >>
> >> C:\Program Files (x86)\GNU\GnuPG>gpg2
> >> d:\Apache\corinthia\rc\incubator-corinthia
> >> _release_0.1.zip.asc
> >> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA
> key
> >> ID 577
> >> E7412
> >> gpg: Can't check signature: No public key
> >>
> >> C:\Program Files (x86)\GNU\GnuPG>
> >>
> >>
> >>
> >>
> >
> > --
> > Sent from My iPad, sorry for any misspellings.
> >
>
>

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 15 Aug 2015, at 2:21 am, jan i <ja...@apache.org> wrote:
> 
> I have just uploaded a new candidate made on ubuntu. It seems to have
> something to do with my network drives (amazing).

Ok, line endings are good now, all tests pass (tested on OS X, Linux, and Windows).

The zip problem still remains though:

peter@macbookpro:~/temp$ ~/dev/c/build-mac/bin/dfconvert get test.docx test.html
peter@macbookpro:~/temp$ ~/dev/c/build-mac/bin/dfconvert put test.docx test.html
peter@macbookpro:~/temp$ open test.docx 

Word complains about the file being corrupt.

It looks like it’s to do with file permissions inside the zip file… I manually unzipped it (using the unzip command on OS X) and the files were all marked with permission bits of 0:

peter@macbookpro:~/temp/1$ unzip ../test.docx 
Archive:  ../test.docx
generated by Corinthia
  inflating: word/document.xml       
  inflating: _rels/.rels             
  inflating: word/stylesWithEffects.xml  
  inflating: word/styles.xml         
  inflating: word/fontTable.xml      
  inflating: word/_rels/document.xml.rels  
  inflating: word/settings.xml       
  inflating: docProps/core.xml       
  inflating: docProps/app.xml        
  inflating: word/theme/theme1.xml   
  inflating: docProps/thumbnail.jpeg  
  inflating: word/webSettings.xml    
  inflating: [Content_Types].xml     

peter@macbookpro:~/temp/1$ ls -lF word
total 96
drwxr-xr-x  3 peter  staff    102 15 Aug 02:34 _rels/
----------  1 peter  staff    739 31 Dec  1979 document.xml
----------  1 peter  staff   2023 31 Dec  1979 fontTable.xml
----------  1 peter  staff   1535 31 Dec  1979 settings.xml
----------  1 peter  staff  14641 31 Dec  1979 styles.xml
----------  1 peter  staff  15740 31 Dec  1979 stylesWithEffects.xml
drwxr-xr-x  3 peter  staff    102 15 Aug 02:34 theme/
----------  1 peter  staff    431 31 Dec  1979 webSettings.xml

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

On 14 August 2015 at 21:18, Peter Kelly <pm...@apache.org> wrote:

> > On 15 Aug 2015, at 2:16 am, Peter Kelly <pm...@apache.org> wrote:
> >
> >> On 15 Aug 2015, at 1:54 am, Dennis E. Hamilton <de...@acm.org>
> wrote:
> >>
> >> My question is as a reviewer, applying my beginner's mind as well as I
> can. I assume the third party is not on our dev@ list and is responding
> to an announcement of the availability of an incubator release.  I do not
> want to rely on tacit knowledge or what I could figure out as a
> knowledgeable participant on ASF Projects.  We're talking about something
> made available to the public.
> >>
> >> Is that understandable, now?
> >
> > Yes - and thanks for the clarification. I agree that when the release
> occurs, the relevant download page on the website should contain a link to
> the signature.
>
> (sorry, i meant signature and public key)
>
I know what you meant and I agree. I am not sure though that we will make a
download page especially for this release but of course for later releases.



I have just uploaded a new candidate made on ubuntu. It seems to have
something to do with my network drives (amazing).

rgds
jan i.



>
> —
> Dr Peter M. Kelly
> pmkelly@apache.org
>
> PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
>
>

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 15 Aug 2015, at 2:16 am, Peter Kelly <pm...@apache.org> wrote:
> 
>> On 15 Aug 2015, at 1:54 am, Dennis E. Hamilton <de...@acm.org> wrote:
>> 
>> My question is as a reviewer, applying my beginner's mind as well as I can. I assume the third party is not on our dev@ list and is responding to an announcement of the availability of an incubator release.  I do not want to rely on tacit knowledge or what I could figure out as a knowledgeable participant on ASF Projects.  We're talking about something made available to the public.
>> 
>> Is that understandable, now?
> 
> Yes - and thanks for the clarification. I agree that when the release occurs, the relevant download page on the website should contain a link to the signature.

(sorry, i meant signature and public key)

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 15 Aug 2015, at 1:54 am, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> My question is as a reviewer, applying my beginner's mind as well as I can. I assume the third party is not on our dev@ list and is responding to an announcement of the availability of an incubator release.  I do not want to rely on tacit knowledge or what I could figure out as a knowledgeable participant on ASF Projects.  We're talking about something made available to the public.
> 
> Is that understandable, now?

Yes - and thanks for the clarification. I agree that when the release occurs, the relevant download page on the website should contain a link to the signature.

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

On 14 August 2015 at 20:54, Dennis E. Hamilton <de...@acm.org>
wrote:

> I am failing to be clear about something.
>
> Of course I am on the project.
>
> And I am reviewing a release candidate.
>
> My review is from the perspective of what a third party needs to know in
> order to obtain and use the release candidate, were it approved as a
> release.
>
> Isn't that the purpose of such review?  To assess what they will find and
> its nature with regard to Apache Project practices, etc.
>
> I do not need to be taught how to add a public key to my key ring, or how
> to find Jan's key on the list of Apache committer's keys.
>
> My question is as a reviewer, applying my beginner's mind as well as I
> can. I assume the third party is not on our dev@ list and is responding
> to an announcement of the availability of an incubator release.  I do not
> want to rely on tacit knowledge or what I could figure out as a
> knowledgeable participant on ASF Projects.  We're talking about something
> made available to the public.
>
> Is that understandable, now?
>
for sure it is understandable, just very unclear what the relation is to
checking if our release is ok. You seems to be several steps further and
concerned about the end-users.

May I politely suggest we concentrate on making sure the release will pass
all votes, then we can later add documentation on e.g. our web site for end
users.

rgds
jan i.


>
>  - Dennis
>
> -----Original Message-----
> From: Peter Kelly [mailto:pmkelly@apache.org]
> Sent: Friday, August 14, 2015 10:42
> To: dev@corinthia.incubator.apache.org
> Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1
>
> > On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <de...@acm.org>
> wrote:
> >
> > I think it looks good to you because you signed it and you have the
> public key.
> >
> > I obviously do not have the public key of the signer.
> >
> > Furthermore, nowhere am I told that I need yours.  I am reviewing this
> as someone who is not on the project.
>
> My understanding is that you *are* on the project - these release
> candidates are intended for people who are on the project.
>
> Even if someone were not on the project, I don’t think it’s an
> unreasonable stretch to assume that Jan is the signer, or that at minimum a
> verification could be attempted using his public key.
>
> [ ... ]
>
>
>

RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I am failing to be clear about something.

Of course I am on the project.

And I am reviewing a release candidate.

My review is from the perspective of what a third party needs to know in order to obtain and use the release candidate, were it approved as a release. 

Isn't that the purpose of such review?  To assess what they will find and its nature with regard to Apache Project practices, etc.

I do not need to be taught how to add a public key to my key ring, or how to find Jan's key on the list of Apache committer's keys.

My question is as a reviewer, applying my beginner's mind as well as I can. I assume the third party is not on our dev@ list and is responding to an announcement of the availability of an incubator release.  I do not want to rely on tacit knowledge or what I could figure out as a knowledgeable participant on ASF Projects.  We're talking about something made available to the public.

Is that understandable, now?

 - Dennis

-----Original Message-----
From: Peter Kelly [mailto:pmkelly@apache.org] 
Sent: Friday, August 14, 2015 10:42
To: dev@corinthia.incubator.apache.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

> On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> I think it looks good to you because you signed it and you have the public key.
> 
> I obviously do not have the public key of the signer.
> 
> Furthermore, nowhere am I told that I need yours.  I am reviewing this as someone who is not on the project.  

My understanding is that you *are* on the project - these release candidates are intended for people who are on the project.

Even if someone were not on the project, I don’t think it’s an unreasonable stretch to assume that Jan is the signer, or that at minimum a verification could be attempted using his public key.

[ ... ]

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by Peter Kelly <pm...@apache.org>.

> On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <de...@acm.org> wrote:
> 
> I think it looks good to you because you signed it and you have the public key.
> 
> I obviously do not have the public key of the signer.
> 
> Furthermore, nowhere am I told that I need yours.  I am reviewing this as someone who is not on the project.  

My understanding is that you *are* on the project - these release candidates are intended for people who are on the project.

Even if someone were not on the project, I don’t think it’s an unreasonable stretch to assume that Jan is the signer, or that at minimum a verification could be attempted using his public key.

> Somewhere, it must be specified what public key is needed and how to obtain it from a safe place.  That is what I am asking for.  

Jan and I have both now given you this information.

> What is the information that an outsider needs in order to know who is the release manager/signer is and how to find an authentic public key for that committer?
> 
> When that information is provided, I can proceed with any review of the source zip.

The name of the person posting the release candidates, as can be seen from the mailing list, is Jan Iverson. This person’s email address is jani@apache.org, which implies that his Apache ID is jani. The ASF maintains the public keys of all committers at https://people.apache.org/keys/committer/, where each file has the name of the username. Therefore Jan’s key, and by extension the key with which the release candidate was signed, is available at https://people.apache.org/keys/committer/jani.asc.

—
Dr Peter M. Kelly
pmkelly@apache.org

PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key>
(fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)

RE: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by "Dennis E. Hamilton" <de...@acm.org>.

I think it looks good to you because you signed it and you have the public key.

I obviously do not have the public key of the signer.

Furthermore, nowhere am I told that I need yours.  I am reviewing this as someone who is not on the project.  Somewhere, it must be specified what public key is needed and how to obtain it from a safe place.  That is what I am asking for.  

What is the information that an outsider needs in order to know who is the release manager/signer is and how to find an authentic public key for that committer?

When that information is provided, I can proceed with any review of the source zip.

Thanks,

 - Dennis

-----Original Message-----
From: jan i [mailto:jani@apache.org] 
Sent: Friday, August 14, 2015 09:47
To: jan i <ja...@apache.org>
Cc: dev@corinthia.incubator.apache.org; dennis.hamilton@acm.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

you never know, so I went on and tested on my azura vm:


C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
.\incubator-corinthia_release_0.1.zip.asc
gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
gpg: Good signature from "jan iversen <ja...@gmail.com>"

Could it be a setup problem on your side ?

rgds
jan I.


On 14 August 2015 at 18:44, jan i <ja...@apache.org> wrote:

>
>
> On Friday, August 14, 2015, Dennis E. Hamilton <de...@acm.org>
> wrote:
>
>> Please provide an authoritative ASF location of the public key to use for
>> checking the signature.  It would be something like a continuously verified
>> key on this list: <https://people.apache.org/keys/committer/>.  (This
>> establishes both the name of the ASF committer who possesses the signature
>> and that the key has not been revoked.)
>
>
> ????? if you look there you will see my key.
>
> This is done automatically when you add your key to id.a.o
>
>
>
>>
>> How will that be made known to reviewers and downloaders of the Release
>> Candidate?
>
> well people.a.o/keys/committer is the official place, my key is
> furthermore uploaded on a couple of key servers.
>
> rgds
> jan i
>
>>
>>  - Dennis
>>
>> ----- Failure Output -----
>> Microsoft Windows [Version 10.0.10240]
>> (c) 2015 Microsoft Corporation. All rights reserved.
>>
>> C:\Program Files (x86)\GNU\GnuPG>gpg2
>> d:\Apache\corinthia\rc\incubator-corinthia
>> _release_0.1.zip.asc
>> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA key
>> ID 577
>> E7412
>> gpg: Can't check signature: No public key
>>
>> C:\Program Files (x86)\GNU\GnuPG>
>>
>>
>>
>>
>
> --
> Sent from My iPad, sorry for any misspellings.
>

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

you never know, so I went on and tested on my azura vm:


C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
.\incubator-corinthia_release_0.1.zip.asc
gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
gpg: Good signature from "jan iversen <ja...@gmail.com>"

Could it be a setup problem on your side ?

rgds
jan I.


On 14 August 2015 at 18:44, jan i <ja...@apache.org> wrote:

>
>
> On Friday, August 14, 2015, Dennis E. Hamilton <de...@acm.org>
> wrote:
>
>> Please provide an authoritative ASF location of the public key to use for
>> checking the signature.  It would be something like a continuously verified
>> key on this list: <https://people.apache.org/keys/committer/>.  (This
>> establishes both the name of the ASF committer who possesses the signature
>> and that the key has not been revoked.)
>
>
> ????? if you look there you will see my key.
>
> This is done automatically when you add your key to id.a.o
>
>
>
>>
>> How will that be made known to reviewers and downloaders of the Release
>> Candidate?
>
> well people.a.o/keys/committer is the official place, my key is
> furthermore uploaded on a couple of key servers.
>
> rgds
> jan i
>
>>
>>  - Dennis
>>
>> ----- Failure Output -----
>> Microsoft Windows [Version 10.0.10240]
>> (c) 2015 Microsoft Corporation. All rights reserved.
>>
>> C:\Program Files (x86)\GNU\GnuPG>gpg2
>> d:\Apache\corinthia\rc\incubator-corinthia
>> _release_0.1.zip.asc
>> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA key
>> ID 577
>> E7412
>> gpg: Can't check signature: No public key
>>
>> C:\Program Files (x86)\GNU\GnuPG>
>>
>>
>>
>>
>
> --
> Sent from My iPad, sorry for any misspellings.
>

Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

Posted by jan i <ja...@apache.org>.

On Friday, August 14, 2015, Dennis E. Hamilton <de...@acm.org>
wrote:

> Please provide an authoritative ASF location of the public key to use for
> checking the signature.  It would be something like a continuously verified
> key on this list: <https://people.apache.org/keys/committer/>.  (This
> establishes both the name of the ASF committer who possesses the signature
> and that the key has not been revoked.)


????? if you look there you will see my key.

This is done automatically when you add your key to id.a.o



>
> How will that be made known to reviewers and downloaders of the Release
> Candidate?

well people.a.o/keys/committer is the official place, my key is furthermore
uploaded on a couple of key servers.

rgds
jan i

>
>  - Dennis
>
> ----- Failure Output -----
> Microsoft Windows [Version 10.0.10240]
> (c) 2015 Microsoft Corporation. All rights reserved.
>
> C:\Program Files (x86)\GNU\GnuPG>gpg2
> d:\Apache\corinthia\rc\incubator-corinthia
> _release_0.1.zip.asc
> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA key
> ID 577
> E7412
> gpg: Can't check signature: No public key
>
> C:\Program Files (x86)\GNU\GnuPG>
>
>
>
>

-- 
Sent from My iPad, sorry for any misspellings.