You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Thilo Goetz <tw...@gmx.de> on 2007/01/25 17:19:18 UTC
Write-up on release signing/verification
Hi,
I have recently started to familiarize myself with release signing for
the upcoming UIMA release. I have documented my experiences on our web
site, for developers here:
http://incubator.apache.org/uima/distribution.html (section "Signing a
distribution")
and for users here:
http://incubator.apache.org/uima/downloads.html#VerifyDownload
I would really appreciate it if someone more knowledgeable than myself
could give this a quick read and point out any glaring mistakes. It's
really short ;-)
While I found good information on release signing on various Apache
pages, I did not find corresponding information for users on what to do
with the signature files. If anybody knows of such information, could
you let me know so I can link to it from our pages. If there isn't,
maybe what I wrote (after clean-up ;-) could be used as basis for a more
general FAQ.
Note that I don't have anything on cross-signing of keys and web of
trust yet, I hope to add something on that at a later date.
--Thilo
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by David Crossley <cr...@apache.org>.
Thilo Goetz wrote:
>
> While I found good information on release signing on various Apache
> pages, I did not find corresponding information for users on what to do
> with the signature files. If anybody knows of such information, could
> you let me know so I can link to it from our pages. If there isn't,
> maybe what I wrote (after clean-up ;-) could be used as basis for a more
> general FAQ.
Look at the "Download" pages of existing top-level projects
for examples. They usually specify to users what to do with
both the sigs and sums, and stress the importance of the
verifcation step.
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Thilo Goetz <tw...@gmx.de>.
Thanks for the feedback. I have created INFRA-1133
(http://issues.apache.org/jira/browse/INFRA-1133) and attached a patch.
Just a conservative extension, nothing revolutionary. Let me know
what you think.
--Thilo
robert burrell donkin wrote:
> On 1/25/07, Yoav Shapira <yo...@apache.org> wrote:
>> Hola,
>>
>> On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
>> > so what do you propose? The "signing releases" page does have all the
>> > info, but it's not very newbie friendly.
>>
>> I propose that instead of rewriting a new set of docs from scratch,
>> you (or whoever is interested) submit patches against the current
>> http://www.apache.org/dev/release-signing.html and other related
>> documents, that make the page conform with your vision of what's best,
>> or newbie-friendly, or whatever criteria you wish to use. Just like
>> any feature enhancement on any software product. It doesn't matter to
>> me whether it's FAQ style or normative style or whatever, just that
>> this info is in one central place, not duplicated all over the place.
>> In other words, the DRY principle
>> (http://www.artima.com/intv/dry.html).
>
> +1
>
> - robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by robert burrell donkin <ro...@gmail.com>.
On 1/25/07, Yoav Shapira <yo...@apache.org> wrote:
> Hola,
>
> On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> > so what do you propose? The "signing releases" page does have all the
> > info, but it's not very newbie friendly.
>
> I propose that instead of rewriting a new set of docs from scratch,
> you (or whoever is interested) submit patches against the current
> http://www.apache.org/dev/release-signing.html and other related
> documents, that make the page conform with your vision of what's best,
> or newbie-friendly, or whatever criteria you wish to use. Just like
> any feature enhancement on any software product. It doesn't matter to
> me whether it's FAQ style or normative style or whatever, just that
> this info is in one central place, not duplicated all over the place.
> In other words, the DRY principle
> (http://www.artima.com/intv/dry.html).
+1
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Yoav Shapira <yo...@apache.org>.
Hola,
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> so what do you propose? The "signing releases" page does have all the
> info, but it's not very newbie friendly.
I propose that instead of rewriting a new set of docs from scratch,
you (or whoever is interested) submit patches against the current
http://www.apache.org/dev/release-signing.html and other related
documents, that make the page conform with your vision of what's best,
or newbie-friendly, or whatever criteria you wish to use. Just like
any feature enhancement on any software product. It doesn't matter to
me whether it's FAQ style or normative style or whatever, just that
this info is in one central place, not duplicated all over the place.
In other words, the DRY principle
(http://www.artima.com/intv/dry.html).
Yoav
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Leo Simons <ma...@leosimons.com>.
On Jan 25, 2007, at 8:07 PM, robert burrell donkin wrote:
> On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
>> so what do you propose?
> please go ahead and create a patch :-)
yay! We always need more (capable!) people to maintain these docs :)
The apache website is maintained in xdoc form using anakia (much like
the incubator site), at
http://svn.apache.org/repos/asf/infrastructure/site/trunk
patches should go into jira. See
http://www.apache.org/dev/infra-site.html
for more details.
cheers!
/LSD
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by robert burrell donkin <ro...@gmail.com>.
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Yoav Shapira wrote:
> > Hola,
> > That's cool, and very considerate of you to take the time to document
> > your process. Thank you.
> >
> > However, I'm not sure that we need to duplicate what's already
> > documented and followed by most ASF projects:
> > http://www.apache.org/dev/#releases and its links. Instead, we should
> > work to update, amend, and extend that set of documents as applicable.
> >
> > Yoav
>
> Hi Yoav,
>
> so what do you propose? The "signing releases" page does have all the
> info, but it's not very newbie friendly. The FAQ style is appropriate
> if you already know your stuff in principle, but want to look up
> something specific. I was trying to give a bit more of a sequential
> presentation.
the problem i've always had with coming up with a sequential
presentation is that i think that reading all the FAQs is the minimum
learning required to create signatures safely. i tried to structure
them as a non-linear tutorial (though i probably didn't succeed). i'm
not sure it's wise to give a recipe for release managers to follow
when they really need to spend some time reading.
but many people think i've gone too far so please submit a patch
> The other question I had was about the user side of things. Is there a
> place where this has been described already? I'd be more than happy to
> just link to existing content, or help create content that describes the
> user side of things in a general way.
please go ahead and create a patch :-)
i worry about making inaccurate statements or misleading
simplifications. the mechanical stuff is easy, the interpretation less
so. for most users, signatures are no better than checksums but
checksums are easier to understand. those users with a good
understanding of cryptography wouldn't need any help.
but again, i may well be over cautious
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Thilo Goetz <tw...@gmx.de>.
Yoav Shapira wrote:
> Hola,
> That's cool, and very considerate of you to take the time to document
> your process. Thank you.
>
> However, I'm not sure that we need to duplicate what's already
> documented and followed by most ASF projects:
> http://www.apache.org/dev/#releases and its links. Instead, we should
> work to update, amend, and extend that set of documents as applicable.
>
> Yoav
Hi Yoav,
so what do you propose? The "signing releases" page does have all the
info, but it's not very newbie friendly. The FAQ style is appropriate
if you already know your stuff in principle, but want to look up
something specific. I was trying to give a bit more of a sequential
presentation. If there is a general place where this content should go,
I'd be happy to help with that.
The other question I had was about the user side of things. Is there a
place where this has been described already? I'd be more than happy to
just link to existing content, or help create content that describes the
user side of things in a general way.
--Thilo
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Yoav Shapira <yo...@apache.org>.
Hola,
That's cool, and very considerate of you to take the time to document
your process. Thank you.
However, I'm not sure that we need to duplicate what's already
documented and followed by most ASF projects:
http://www.apache.org/dev/#releases and its links. Instead, we should
work to update, amend, and extend that set of documents as applicable.
Yoav
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Hi,
>
> I have recently started to familiarize myself with release signing for
> the upcoming UIMA release. I have documented my experiences on our web
> site, for developers here:
>
> http://incubator.apache.org/uima/distribution.html (section "Signing a
> distribution")
>
> and for users here:
>
> http://incubator.apache.org/uima/downloads.html#VerifyDownload
>
> I would really appreciate it if someone more knowledgeable than myself
> could give this a quick read and point out any glaring mistakes. It's
> really short ;-)
>
> While I found good information on release signing on various Apache
> pages, I did not find corresponding information for users on what to do
> with the signature files. If anybody knows of such information, could
> you let me know so I can link to it from our pages. If there isn't,
> maybe what I wrote (after clean-up ;-) could be used as basis for a more
> general FAQ.
>
> Note that I don't have anything on cross-signing of keys and web of
> trust yet, I hope to add something on that at a later date.
>
> --Thilo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Rahul Akolkar <ra...@gmail.com>.
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Matthias Wessendorf wrote:
> > here it goes
> >
> > http://people.apache.org/repo/m2-incubating-repository/org/apache/myfaces/trinidadbuild/maven-faces-plugin/incubator-m1-SNAPSHOT/
> >
>
> Hi Matthias,
>
> you certainly have an abundance of signature files there.
> maven-faces-plugin-incubator-m1-SNAPSHOT.jar.asc.asc.md5 seems a little
> excessive, surely? Or what am I missing here...
>
<snip/>
The gpg plugin does its deed by adding the sig to the list of
artifacts associated with the (maven) module so it can piggyback on
deploys etc., and m2 knows to sum all artifacts it deploys.
So while summing sigs or signing sums is more of a disservice, in this
case, thats the price of automation.
-Rahul
> --Thilo
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Matthias Wessendorf <ma...@apache.org>.
hello,
I was wondering too, but it finally does something for
maven-faces-plugin-incubator-m1-SNAPSHOT.jar.asc.md5
that's all I want for now.
Perhaps I can exclude some of them in future
;)
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Matthias Wessendorf wrote:
> > here it goes
> >
> > http://people.apache.org/repo/m2-incubating-repository/org/apache/myfaces/trinidadbuild/maven-faces-plugin/incubator-m1-SNAPSHOT/
> >
>
> Hi Matthias,
>
> you certainly have an abundance of signature files there.
> maven-faces-plugin-incubator-m1-SNAPSHOT.jar.asc.asc.md5 seems a little
> excessive, surely? Or what am I missing here...
>
> --Thilo
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Matthias Wessendorf
http://tinyurl.com/fmywh
further stuff:
blog: http://jroller.com/page/mwessendorf
mail: mwessendorf-at-gmail-dot-com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Thilo Goetz <tw...@gmx.de>.
Matthias Wessendorf wrote:
> here it goes
>
> http://people.apache.org/repo/m2-incubating-repository/org/apache/myfaces/trinidadbuild/maven-faces-plugin/incubator-m1-SNAPSHOT/
>
Hi Matthias,
you certainly have an abundance of signature files there.
maven-faces-plugin-incubator-m1-SNAPSHOT.jar.asc.asc.md5 seems a little
excessive, surely? Or what am I missing here...
--Thilo
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Matthias Wessendorf <ma...@apache.org>.
here it goes
http://people.apache.org/repo/m2-incubating-repository/org/apache/myfaces/trinidadbuild/maven-faces-plugin/incubator-m1-SNAPSHOT/
-M
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Matthias Wessendorf wrote:
> > Hi Thilo,
> >
> > I was also getting me into the signing and since we (the Trinidad
> > podling) use Maven2, I found this useful as well
> >
> > http://maven.apache.org/plugins/maven-gpg-plugin/
> >
> > -M
>
> Thanks, I'll check that out. The documentation is a bit on the short
> side. Does it generate MD5 and SHA1 checksums as well?
>
> Thanks,
> Thilo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Matthias Wessendorf
http://tinyurl.com/fmywh
further stuff:
blog: http://jroller.com/page/mwessendorf
mail: mwessendorf-at-gmail-dot-com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Thilo Goetz <tw...@gmx.de>.
Matthias Wessendorf wrote:
> Hi Thilo,
>
> I was also getting me into the signing and since we (the Trinidad
> podling) use Maven2, I found this useful as well
>
> http://maven.apache.org/plugins/maven-gpg-plugin/
>
> -M
Thanks, I'll check that out. The documentation is a bit on the short
side. Does it generate MD5 and SHA1 checksums as well?
Thanks,
Thilo
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Matthias Wessendorf <ma...@apache.org>.
Hi Thilo,
I was also getting me into the signing and since we (the Trinidad
podling) use Maven2, I found this useful as well
http://maven.apache.org/plugins/maven-gpg-plugin/
-M
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Hi,
>
> I have recently started to familiarize myself with release signing for
> the upcoming UIMA release. I have documented my experiences on our web
> site, for developers here:
>
> http://incubator.apache.org/uima/distribution.html (section "Signing a
> distribution")
>
> and for users here:
>
> http://incubator.apache.org/uima/downloads.html#VerifyDownload
>
> I would really appreciate it if someone more knowledgeable than myself
> could give this a quick read and point out any glaring mistakes. It's
> really short ;-)
>
> While I found good information on release signing on various Apache
> pages, I did not find corresponding information for users on what to do
> with the signature files. If anybody knows of such information, could
> you let me know so I can link to it from our pages. If there isn't,
> maybe what I wrote (after clean-up ;-) could be used as basis for a more
> general FAQ.
>
> Note that I don't have anything on cross-signing of keys and web of
> trust yet, I hope to add something on that at a later date.
>
> --Thilo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Matthias Wessendorf
http://tinyurl.com/fmywh
further stuff:
blog: http://jroller.com/page/mwessendorf
mail: mwessendorf-at-gmail-dot-com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by robert burrell donkin <ro...@gmail.com>.
On 1/30/07, Ted Husted <hu...@apache.org> wrote:
> If it's helpful, the notes we are using for the Struts 2 release under
> Maven are here:
>
> * http://struts.apache.org/2.x/docs/creating-and-signing-a-distribution.html
>
> They are very specific, mainly because I'm getting on in years, and if
> we don't have specific notes, I forget how to do things :)
cool :-)
the problem with creating specific notes for the apache site is that
they may contain stuff that some consider bad practice. for example, i
have major issues with the standard maven advice (which is to give the
passphrase in on the command line) and would consider -1 any attempt
to add that to the apache site. you *really* shouldn't be doing that
with any primary apache code signing key.
if you're going to use maven, i'd recommend dual signing: once with a
limited subkey and then adding a second secure key using the primary
code signing key store on removable media and signed from a live CD.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Write-up on release signing/verification
Posted by Ted Husted <hu...@apache.org>.
If it's helpful, the notes we are using for the Struts 2 release under
Maven are here:
* http://struts.apache.org/2.x/docs/creating-and-signing-a-distribution.html
They are very specific, mainly because I'm getting on in years, and if
we don't have specific notes, I forget how to do things :)
-Ted.
On 1/25/07, Thilo Goetz <tw...@gmx.de> wrote:
> Hi,
>
> I have recently started to familiarize myself with release signing for
> the upcoming UIMA release. I have documented my experiences on our web
> site, for developers here:
>
> http://incubator.apache.org/uima/distribution.html (section "Signing a
> distribution")
>
> and for users here:
>
> http://incubator.apache.org/uima/downloads.html#VerifyDownload
>
> I would really appreciate it if someone more knowledgeable than myself
> could give this a quick read and point out any glaring mistakes. It's
> really short ;-)
>
> While I found good information on release signing on various Apache
> pages, I did not find corresponding information for users on what to do
> with the signature files. If anybody knows of such information, could
> you let me know so I can link to it from our pages. If there isn't,
> maybe what I wrote (after clean-up ;-) could be used as basis for a more
> general FAQ.
>
> Note that I don't have anything on cross-signing of keys and web of
> trust yet, I hope to add something on that at a later date.
>
> --Thilo
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org