Re: [VOTE] Release Log4Net 2.0.9

[Matt Sicker <bo...@gmail.com>]

So far it looks good (though I'm not a .net developer, so I can't
speak from that side). There's one more thing we need from this to
make it a proper release. You'll need to add a GPG signature for the
artifacts as well. We'll need to import your signing key to
https://downloads.apache.org/logging/KEYS for users to verify the
release is genuine. Please email me a copy of your public key for that
so I can sign and add it to our KEYS file. This key should be an RSA
4096-bit GPG key, and it should also be uploaded to a public keyserver
like https://sks-keyservers.net/

For signing the files, add a detached ascii signature file (.asc) for
the distributable files. As a bonus, you can also sign the git tag you
created with the same key, but that's not required.

On Fri, 31 Jul 2020 at 01:28, Davyd McColl <da...@gmail.com> wrote:
>
> Apologies if there's any confusion around sender address -- I've already fluffed this by sending from my work account (default in my mail client)
>
> -d
>
> On 2020/07/31 08:26:54, Davyd McColl <da...@codeo.co.za> wrote:
> Hi all, I've never done this before, so bear with me if I fluff it:
>
> This is a proposed vote to release log4net 2.0.9 from PR https://github.com/apache/logging-log4net/pull/61
>
> Release artifacts (including source zip) are at: https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
> Source can be checked out from https://github.com/fluffynuts/logging-log4net/logging-log4net, tag rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the same commit as the last in the PR mentioned above, which was accepted into master a few days ago.
>
> Please check out the artifacts & if everyone is ok with what's there, please can someone with the rights to publish to nuget do so.
>
> Once I've seen how this process works, I'd like to tackle the CVE that has been brought up on this list more than once -- it's a simple change which was already committed to the develop branch some time ago, so there are a couple of options here:
> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that change
> 2. trawl the develop branch to see what else was already solved in there, and get that out as 2.0.10, and perhaps close out that branch to avoid future confusion.
>
> Thanks for your time
> -d



-- 
Matt Sicker <bo...@gmail.com>

Re: [VOTE] Release Log4Net 2.0.9

[Matt Sicker <bo...@gmail.com>]

Here's some info for you:

https://infra.apache.org/release-signing.html

And some general info about release publishing:

https://infra.apache.org/release-publishing.html

On Sun, 2 Aug 2020 at 14:47, Davyd McColl <da...@gmail.com> wrote:
>
> Having never signed release artifacts before, I'm likely to Do It Wrong. Is
> there any Signing For Dummies you could recommend to get going on the right
> foot?
>
> -d
>
>
> On August 2, 2020 21:31:43 Matt Sicker <bo...@gmail.com> wrote:
>
> > So far it looks good (though I'm not a .net developer, so I can't
> > speak from that side). There's one more thing we need from this to
> > make it a proper release. You'll need to add a GPG signature for the
> > artifacts as well. We'll need to import your signing key to
> > https://downloads.apache.org/logging/KEYS for users to verify the
> > release is genuine. Please email me a copy of your public key for that
> > so I can sign and add it to our KEYS file. This key should be an RSA
> > 4096-bit GPG key, and it should also be uploaded to a public keyserver
> > like https://sks-keyservers.net/
> >
> > For signing the files, add a detached ascii signature file (.asc) for
> > the distributable files. As a bonus, you can also sign the git tag you
> > created with the same key, but that's not required.
> >
> > On Fri, 31 Jul 2020 at 01:28, Davyd McColl <da...@gmail.com> wrote:
> >>
> >> Apologies if there's any confusion around sender address -- I've already
> >> fluffed this by sending from my work account (default in my mail client)
> >>
> >> -d
> >>
> >> On 2020/07/31 08:26:54, Davyd McColl <da...@codeo.co.za> wrote:
> >> Hi all, I've never done this before, so bear with me if I fluff it:
> >>
> >> This is a proposed vote to release log4net 2.0.9 from PR
> >> https://github.com/apache/logging-log4net/pull/61
> >>
> >> Release artifacts (including source zip) are at:
> >> https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
> >> Source can be checked out from
> >> https://github.com/fluffynuts/logging-log4net/logging-log4net, tag
> >> rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the
> >> same commit as the last in the PR mentioned above, which was accepted into
> >> master a few days ago.
> >>
> >> Please check out the artifacts & if everyone is ok with what's there,
> >> please can someone with the rights to publish to nuget do so.
> >>
> >> Once I've seen how this process works, I'd like to tackle the CVE that has
> >> been brought up on this list more than once -- it's a simple change which
> >> was already committed to the develop branch some time ago, so there are a
> >> couple of options here:
> >> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that change
> >> 2. trawl the develop branch to see what else was already solved in there,
> >> and get that out as 2.0.10, and perhaps close out that branch to avoid
> >> future confusion.
> >>
> >> Thanks for your time
> >> -d
> >
> >
> >
> > --
> > Matt Sicker <bo...@gmail.com>



-- 
Matt Sicker <bo...@gmail.com>

Re: [VOTE] Release Log4Net 2.0.9

[Davyd McColl <da...@gmail.com>]

Having never signed release artifacts before, I'm likely to Do It Wrong. Is 
there any Signing For Dummies you could recommend to get going on the right 
foot?

-d


On August 2, 2020 21:31:43 Matt Sicker <bo...@gmail.com> wrote:

> So far it looks good (though I'm not a .net developer, so I can't
> speak from that side). There's one more thing we need from this to
> make it a proper release. You'll need to add a GPG signature for the
> artifacts as well. We'll need to import your signing key to
> https://downloads.apache.org/logging/KEYS for users to verify the
> release is genuine. Please email me a copy of your public key for that
> so I can sign and add it to our KEYS file. This key should be an RSA
> 4096-bit GPG key, and it should also be uploaded to a public keyserver
> like https://sks-keyservers.net/
>
> For signing the files, add a detached ascii signature file (.asc) for
> the distributable files. As a bonus, you can also sign the git tag you
> created with the same key, but that's not required.
>
> On Fri, 31 Jul 2020 at 01:28, Davyd McColl <da...@gmail.com> wrote:
>>
>> Apologies if there's any confusion around sender address -- I've already 
>> fluffed this by sending from my work account (default in my mail client)
>>
>> -d
>>
>> On 2020/07/31 08:26:54, Davyd McColl <da...@codeo.co.za> wrote:
>> Hi all, I've never done this before, so bear with me if I fluff it:
>>
>> This is a proposed vote to release log4net 2.0.9 from PR 
>> https://github.com/apache/logging-log4net/pull/61
>>
>> Release artifacts (including source zip) are at: 
>> https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
>> Source can be checked out from 
>> https://github.com/fluffynuts/logging-log4net/logging-log4net, tag 
>> rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the 
>> same commit as the last in the PR mentioned above, which was accepted into 
>> master a few days ago.
>>
>> Please check out the artifacts & if everyone is ok with what's there, 
>> please can someone with the rights to publish to nuget do so.
>>
>> Once I've seen how this process works, I'd like to tackle the CVE that has 
>> been brought up on this list more than once -- it's a simple change which 
>> was already committed to the develop branch some time ago, so there are a 
>> couple of options here:
>> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that change
>> 2. trawl the develop branch to see what else was already solved in there, 
>> and get that out as 2.0.10, and perhaps close out that branch to avoid 
>> future confusion.
>>
>> Thanks for your time
>> -d
>
>
>
> -- 
> Matt Sicker <bo...@gmail.com>

Re: [VOTE] Release Log4Net 2.0.9

[Ralph Goers <ra...@dslextreme.com>]

I am going to vote +1 (binding) on this release. Although it does need to be signed I am comfortable with either Matt or myself signing it before it is uploaded as Davyd’s signing key isn’t going to be signed by anyone if he has never had a key before. One of us is going to have to publish this for him anyway.

Ralph

> On Aug 2, 2020, at 12:31 PM, Matt Sicker <bo...@gmail.com> wrote:
> 
> So far it looks good (though I'm not a .net developer, so I can't
> speak from that side). There's one more thing we need from this to
> make it a proper release. You'll need to add a GPG signature for the
> artifacts as well. We'll need to import your signing key to
> https://downloads.apache.org/logging/KEYS for users to verify the
> release is genuine. Please email me a copy of your public key for that
> so I can sign and add it to our KEYS file. This key should be an RSA
> 4096-bit GPG key, and it should also be uploaded to a public keyserver
> like https://sks-keyservers.net/
> 
> For signing the files, add a detached ascii signature file (.asc) for
> the distributable files. As a bonus, you can also sign the git tag you
> created with the same key, but that's not required.
> 
> On Fri, 31 Jul 2020 at 01:28, Davyd McColl <da...@gmail.com> wrote:
>> 
>> Apologies if there's any confusion around sender address -- I've already fluffed this by sending from my work account (default in my mail client)
>> 
>> -d
>> 
>> On 2020/07/31 08:26:54, Davyd McColl <da...@codeo.co.za> wrote:
>> Hi all, I've never done this before, so bear with me if I fluff it:
>> 
>> This is a proposed vote to release log4net 2.0.9 from PR https://github.com/apache/logging-log4net/pull/61
>> 
>> Release artifacts (including source zip) are at: https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts
>> Source can be checked out from https://github.com/fluffynuts/logging-log4net/logging-log4net, tag rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the same commit as the last in the PR mentioned above, which was accepted into master a few days ago.
>> 
>> Please check out the artifacts & if everyone is ok with what's there, please can someone with the rights to publish to nuget do so.
>> 
>> Once I've seen how this process works, I'd like to tackle the CVE that has been brought up on this list more than once -- it's a simple change which was already committed to the develop branch some time ago, so there are a couple of options here:
>> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that change
>> 2. trawl the develop branch to see what else was already solved in there, and get that out as 2.0.10, and perhaps close out that branch to avoid future confusion.
>> 
>> Thanks for your time
>> -d
> 
> 
> 
> -- 
> Matt Sicker <bo...@gmail.com>
>