You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tamaya.apache.org by Anatole Tresch <at...@gmail.com> on 2019/08/27 07:20:59 UTC
[VOTE] Release of Apache Tamaya 0.4-incubating, RC2
Hi,
I was running the needed tasks to get the 0.4-incubating release of Tamaya
out.
The artifacts available via the Apache distribution repository [1] and
also via Apache's Nexus [2].
The tag for this release candidate is available at [3] and will be renamed
once the vote passed.
Please take a look at the artifacts and vote!
Please note:
This vote is a "majority approval" with a minimum of three +1 votes (see
[4]).
------------------------------------------------
[ ] +1 for community members who have reviewed the bits
[ ] +0
[ ] -1 for fatal flaws that should cause these bits not to be released, and
why ...
------------------------------------------------
Thanks,
Anatole Tresch
[1] https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/
[2] https://repository.apache.org/content/repositories/orgapachetamaya-1037
[3]
https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb
[4] http://www.apache.org/foundation/voting.html#ReleaseVotes
--
*Anatole Tresch*
PPMC Member Apache Tamaya
JCP Star Spec Lead
*Switzerland, Europe Zurich, GMT+1*
*maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
*Twitter: @atsticks, @tamayaconf*
Re: [VOTE] Release of Apache Tamaya 0.4-incubating, RC2
Posted by "P. Ottlinger" <po...@apache.org>.
Am 27.08.19 um 20:46 schrieb Aaron Coburn:
> (That key is, in fact, older than the one listed in the KEYS file)
>
> Maybe Julian can advise on whether these are blockers for a release.
As the KEYS are supposed to be the way to authenticate artifacts they
should be correct ...... @Anatole: can you resign the artifacts with the
correct key (that matches KEYS' contents)?
Thanks,
Phil
[RESULT][VOTE] Release of Apache Tamaya 0.4-incubating, RC2
Posted by Anatole Tresch <at...@gmail.com>.
This vote has been closed with no.
As mentioned earlier, we have to build a third RC due to outdated certs
used. Stay tuned...
Am Di., 27. Aug. 2019 um 20:46 Uhr schrieb Aaron Coburn <
aaron.coburn@gmail.com>:
> Thanks so much for cutting the second release candidate. The source looks
> great (no SNAPSHOT dependencies); I was able to successfully compile and
> test the code. And I was able to successfully use the CDI and Microprofile
> extensions in an external project.
>
> I'd give a +1, but there are two issues I found with the artifacts in the
> distribution area.
>
> First, I believe the .tar.gz and .zip files should have a corresponding
> sha512 checksum (there are no checksum files in
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/
> or
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/
> )
>
> Second, I had some difficulty validating the signatures on the files
> themselves. I can import the KEYS file fine:
>
> $ gpg --import KEYS
>
> But the key used to sign these artifacts doesn't seem to be contained in
> that KEYS file. That is, Anatole's public key in the KEYS file has this
> signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38
> A3EA FE9D 018B. I was able to find that key on a public keyserver, and it
> is registered to anatole@apache.org, but it has also been revoked:
>
> $ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc
> apache-tamaya-distribution-0.4-incubating-src.tar.gz
> gpg: Signature made Mon Aug 26 18:12:12 2019 EDT
> gpg: using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B
> gpg: Good signature from "Anatole Tresch <an...@apache.org>" [unknown]
> gpg: WARNING: This key has been revoked by its owner!
> gpg: This could mean that the signature is forged.
> gpg: reason for revocation: Key is superseded
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 754A 1B93 C9D5 D553 482A 6FAE 5B38 A3EA FE9D 018B
>
> (That key is, in fact, older than the one listed in the KEYS file)
>
> Maybe Julian can advise on whether these are blockers for a release.
>
> Cheers,
> Aaron
>
> On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <at...@gmail.com> wrote:
>
> > Hi,
> >
> > I was running the needed tasks to get the 0.4-incubating release of
> Tamaya
> > out.
> > The artifacts available via the Apache distribution repository [1] and
> > also via Apache's Nexus [2].
> >
> > The tag for this release candidate is available at [3] and will be
> renamed
> > once the vote passed.
> > Please take a look at the artifacts and vote!
> >
> > Please note:
> > This vote is a "majority approval" with a minimum of three +1 votes (see
> > [4]).
> >
> > ------------------------------------------------
> > [ ] +1 for community members who have reviewed the bits
> > [ ] +0
> > [ ] -1 for fatal flaws that should cause these bits not to be released,
> and
> > why ...
> > ------------------------------------------------
> >
> > Thanks,
> > Anatole Tresch
> >
> > [1]
> > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/
> >
> > [2]
> > https://repository.apache.org/content/repositories/orgapachetamaya-1037
> > [3]
> >
> >
> https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb
> > [4] http://www.apache.org/foundation/voting.html#ReleaseVotes
> >
> >
> >
> > --
> > *Anatole Tresch*
> > PPMC Member Apache Tamaya
> > JCP Star Spec Lead
> > *Switzerland, Europe Zurich, GMT+1*
> > *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
> > *Twitter: @atsticks, @tamayaconf*
> >
>
--
*Anatole Tresch*
PPMC Member Apache Tamaya
JCP Star Spec Lead
*Switzerland, Europe Zurich, GMT+1*
*maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
*Twitter: @atsticks, @tamayaconf*
Re: [VOTE] Release of Apache Tamaya 0.4-incubating, RC2
Posted by Anatole Tresch <at...@gmail.com>.
Great, another showstopper - OMG. Well why does not any tool tell me on
earth that the key on my windows account is outdated/revoked ...
Next time I build things on my Linux box ...
Am Di., 27. Aug. 2019 um 20:46 Uhr schrieb Aaron Coburn <
aaron.coburn@gmail.com>:
> Thanks so much for cutting the second release candidate. The source looks
> great (no SNAPSHOT dependencies); I was able to successfully compile and
> test the code. And I was able to successfully use the CDI and Microprofile
> extensions in an external project.
>
> I'd give a +1, but there are two issues I found with the artifacts in the
> distribution area.
>
> First, I believe the .tar.gz and .zip files should have a corresponding
> sha512 checksum (there are no checksum files in
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/
> or
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/
> )
>
> Second, I had some difficulty validating the signatures on the files
> themselves. I can import the KEYS file fine:
>
> $ gpg --import KEYS
>
> But the key used to sign these artifacts doesn't seem to be contained in
> that KEYS file. That is, Anatole's public key in the KEYS file has this
> signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38
> A3EA FE9D 018B. I was able to find that key on a public keyserver, and it
> is registered to anatole@apache.org, but it has also been revoked:
>
> $ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc
> apache-tamaya-distribution-0.4-incubating-src.tar.gz
> gpg: Signature made Mon Aug 26 18:12:12 2019 EDT
> gpg: using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B
> gpg: Good signature from "Anatole Tresch <an...@apache.org>" [unknown]
> gpg: WARNING: This key has been revoked by its owner!
> gpg: This could mean that the signature is forged.
> gpg: reason for revocation: Key is superseded
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 754A 1B93 C9D5 D553 482A 6FAE 5B38 A3EA FE9D 018B
>
> (That key is, in fact, older than the one listed in the KEYS file)
>
> Maybe Julian can advise on whether these are blockers for a release.
>
> Cheers,
> Aaron
>
> On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <at...@gmail.com> wrote:
>
> > Hi,
> >
> > I was running the needed tasks to get the 0.4-incubating release of
> Tamaya
> > out.
> > The artifacts available via the Apache distribution repository [1] and
> > also via Apache's Nexus [2].
> >
> > The tag for this release candidate is available at [3] and will be
> renamed
> > once the vote passed.
> > Please take a look at the artifacts and vote!
> >
> > Please note:
> > This vote is a "majority approval" with a minimum of three +1 votes (see
> > [4]).
> >
> > ------------------------------------------------
> > [ ] +1 for community members who have reviewed the bits
> > [ ] +0
> > [ ] -1 for fatal flaws that should cause these bits not to be released,
> and
> > why ...
> > ------------------------------------------------
> >
> > Thanks,
> > Anatole Tresch
> >
> > [1]
> > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/
> >
> > [2]
> > https://repository.apache.org/content/repositories/orgapachetamaya-1037
> > [3]
> >
> >
> https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb
> > [4] http://www.apache.org/foundation/voting.html#ReleaseVotes
> >
> >
> >
> > --
> > *Anatole Tresch*
> > PPMC Member Apache Tamaya
> > JCP Star Spec Lead
> > *Switzerland, Europe Zurich, GMT+1*
> > *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
> > *Twitter: @atsticks, @tamayaconf*
> >
>
--
*Anatole Tresch*
PPMC Member Apache Tamaya
JCP Star Spec Lead
*Switzerland, Europe Zurich, GMT+1*
*maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
*Twitter: @atsticks, @tamayaconf*
Re: [VOTE] Release of Apache Tamaya 0.4-incubating, RC2
Posted by Aaron Coburn <aa...@gmail.com>.
Thanks so much for cutting the second release candidate. The source looks
great (no SNAPSHOT dependencies); I was able to successfully compile and
test the code. And I was able to successfully use the CDI and Microprofile
extensions in an external project.
I'd give a +1, but there are two issues I found with the artifacts in the
distribution area.
First, I believe the .tar.gz and .zip files should have a corresponding
sha512 checksum (there are no checksum files in
https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/
or
https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/
)
Second, I had some difficulty validating the signatures on the files
themselves. I can import the KEYS file fine:
$ gpg --import KEYS
But the key used to sign these artifacts doesn't seem to be contained in
that KEYS file. That is, Anatole's public key in the KEYS file has this
signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38
A3EA FE9D 018B. I was able to find that key on a public keyserver, and it
is registered to anatole@apache.org, but it has also been revoked:
$ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc
apache-tamaya-distribution-0.4-incubating-src.tar.gz
gpg: Signature made Mon Aug 26 18:12:12 2019 EDT
gpg: using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B
gpg: Good signature from "Anatole Tresch <an...@apache.org>" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key is superseded
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 754A 1B93 C9D5 D553 482A 6FAE 5B38 A3EA FE9D 018B
(That key is, in fact, older than the one listed in the KEYS file)
Maybe Julian can advise on whether these are blockers for a release.
Cheers,
Aaron
On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <at...@gmail.com> wrote:
> Hi,
>
> I was running the needed tasks to get the 0.4-incubating release of Tamaya
> out.
> The artifacts available via the Apache distribution repository [1] and
> also via Apache's Nexus [2].
>
> The tag for this release candidate is available at [3] and will be renamed
> once the vote passed.
> Please take a look at the artifacts and vote!
>
> Please note:
> This vote is a "majority approval" with a minimum of three +1 votes (see
> [4]).
>
> ------------------------------------------------
> [ ] +1 for community members who have reviewed the bits
> [ ] +0
> [ ] -1 for fatal flaws that should cause these bits not to be released, and
> why ...
> ------------------------------------------------
>
> Thanks,
> Anatole Tresch
>
> [1]
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/
>
> [2]
> https://repository.apache.org/content/repositories/orgapachetamaya-1037
> [3]
>
> https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb
> [4] http://www.apache.org/foundation/voting.html#ReleaseVotes
>
>
>
> --
> *Anatole Tresch*
> PPMC Member Apache Tamaya
> JCP Star Spec Lead
> *Switzerland, Europe Zurich, GMT+1*
> *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
> *Twitter: @atsticks, @tamayaconf*
>