Yes, sounds like the wrong download is being pointed to. Gj
On Sunday, March 11, 2018, John McDonnell <[email protected]> wrote: > So the website should be updated and the netcat program notified to use the > correct download. > > I can send out the netcat notification in an hour or so(travelling at the > moment) if needed but I don't have the website checked out yet to update > that. > > John > > On 11 Mar 2018 19:52, "Jan Lahoda" <[email protected]> wrote: > > > On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold < > [email protected]> > > wrote: > > > > > I can't find a document explaining what dist.apache.org is. > > > > > > > My understanding is that there is a staging area there ("dev") and a > > release area ("release"). I guess we shouldn't be pointing at the staging > > area except for release votes (and, actually, my understanding is that we > > should remove the stuff from the staging area when the vote ends one way > or > > another, although we didn't do that yet for this release). One important > > thing is that: > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > incubating-netbeans-java/incubating-9.0-beta/ > incubating-netbeans-java-9.0- > > beta-bin.zip.md5 > > > > Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta > > release is RC3: > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > > So the RC1 is different from the released package. Anyway, unless someone > > else does it, I'll remove the bits from the staging area sometime soon. > > > > Jan > > > > > > > > > > It seems to be the "staging area" for the binaries. > > > > > > My guess is that somebody fumbled a command from this huge list of > steps > > > https://cwiki.apache.org/confluence/display/NETBEANS/ > > > Apache+NetBeans+Release+README > > > > > > I don't believe we need to involve the security team until we dismiss a > > > typo. > > > > > > --emi > > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > > > On 8 March 2018 11:57 PM, Antonio <[email protected]> wrote: > > > > > > > Hi all, > > > > > > > > José Rodriguez from the users mailing list notes that the > > > > > > > > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\] > > > > > > > > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have > different > > > MD5 > > > > > > > > signatures. > > > > > > > > A quick review shows that the files are indeed different: > > > > > > > > "dist" zip file (\[1\]):: > > > > > > > > - File timestamps 2018 jan 10 > > > > - No "licenses" directory > > > > - LICENSE file is 57kb > > > > > > > > "eu zip" file (\[2\]) also downloaded from the Apache mirror > > system:: > > > > > > > > - File timestamps 2018 feb 02 > > > > - "licenses" directory > > > > - LICENSE file is 245,1 kb > > > > > > > > I think the one being distributed through the mirror system is > the > > > > > > > > proper one, isn't it? Also I thought that the file hosted at > "dist" > > > was > > > > > > > > automatically distributed to mirrors, wasn't it? > > > > > > > > I don't think we should raise a ticket against Apache security, > > > should we? > > > > > > > > Cheers, > > > > > > > > Antonio > > > > > > > > \[1\] > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta/ > > incubating-netbeans-java-9.0- > > > beta-bin.zip > > > > > > > > \[2\] > > > > > > > > http://www-eu.apache.org/dist/incubator/netbeans/incubating- > > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > > > 9.0-beta-bin.zip > > > > > > > > On 08/03/18 20:21, John McDonnell wrote: > > > > > > > > > > > > > Apologies for the spam, cross posting to dev. > > > > > > > > > > @Antonio, do you know if the link on the website for NetBeans 9.0 > > Beta > > > > > > > > > > is correct? Looking at this thread, the signature doesn't match > the > > > > > > > > > > RC3.0 thread we voted on. If we have a small typo we should try to > > > > > > > > > > catch this early in the NetCat phase. > > > > > > > > > > Regards > > > > > > > > > > John > > > > > > > > > > On 8 March 2018 at 07:47, John McDonnell <[email protected] > > > > > > > > > > mailto:[email protected]\> wrote: > > > > > > > > > > Hi Leo, > > > > > > > > > > I didn't import the keys, as I had previously done this step... > > > > > > > > > > But > > > > > > > > > > I'm looking at a different file then you: > > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta/ > > incubating-netbeans-java-9.0- > > > beta-bin.zip(you) > > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip(me) > > > > > > > > > > @Geertjan, the vote thread you referenced earlier, we voted on > > the > > > > > link I used - and got a good signature, so I think that's okay. > > > But > > > > > the website points to a different URL (The one Leo checked). I > > > > > suspect that the website is using the wrong URL, but before I > > jump > > > > > to that conclusion, just curious after the successful vote > would > > > you > > > > > have moved theartefact to the location on the website? > > > > > > > > > > Regards > > > > > > > > > > John > > > > > > > > > > > > > > > On 8 March 2018 at 01:50, Leo Donahue <[email protected] > > > > > <mailto:[email protected]>> wrote: > > > > > > > > > > Hi John, > > > > > > > > > > I noticed that you didn't issue: gpg --import KEYS > > > > > > > > > > I tried again, using wget to download the binary zip file, > > same > > > > > result. I have also tried different mirrors. I guess I > will > > > > > just build from source, I was just being lazy. > > > > > > > > > > (The --list-keys command illustrates I don't already have > the > > > > > KEYS file imported) > > > > > > > > > > leo@vmw01:~$ *gpg --list-keys* > > > > > leo@vmw01:~$ *wget > > > > > https://dist.apache.org/repos/dist/release/incubator/ > > > netbeans/KEYS > > > > > <https://dist.apache.org/repos/dist/release/incubator/ > > > netbeans/KEYS>* > > > > > --2018-03-07 18:40:53-- > > > > > https://dist.apache.org/repos/dist/release/incubator/ > > > netbeans/KEYS > > > > > <https://dist.apache.org/repos/dist/release/incubator/ > > > netbeans/KEYS> > > > > > Resolving dist.apache.org <http://dist.apache.org> > > > > > (dist.apache.org <http://dist.apache.org>)... > 209.188.14.144 > > > > > Connecting to dist.apache.org <http://dist.apache.org> > > > > > (dist.apache.org > > > > > <http://dist.apache.org>)|209.188.14.144|:443... > connected. > > > > > HTTP request sent, awaiting response... 200 OK > > > > > Length: 7594 (7.4K) [text/plain] > > > > > Saving to: ‘KEYS’ > > > > > > > > > > KEYS > > > > > 100%[========================= > ============================== > > > ================>] > > > > > 7.42K --.-KB/s in 0s > > > > > > > > > > 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] > > > > > > > > > > leo@vmw01:~$ *wget > > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta/ > > incubating-netbeans-java-9.0- > > > beta-bin.zip.asc > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc>* > > > > > --2018-03-07 18:41:11-- > > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta/ > > incubating-netbeans-java-9.0- > > > beta-bin.zip.asc > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc> > > > > > Resolving dist.apache.org <http://dist.apache.org> > > > > > (dist.apache.org <http://dist.apache.org>)... > 209.188.14.144 > > > > > Connecting to dist.apache.org <http://dist.apache.org> > > > > > (dist.apache.org > > > > > <http://dist.apache.org>)|209.188.14.144|:443... > connected. > > > > > HTTP request sent, awaiting response... 200 OK > > > > > Length: 819 [text/plain] > > > > > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ > > > > > > > > > > incubating-netbeans-java-9.0-beta-bin > > > > > 100%[========================= > ============================== > > > ================>] > > > > > 819 --.-KB/s in 0s > > > > > > > > > > 2018-03-07 18:41:11 (16.4 MB/s) - > > > > > ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ saved > > > [819/819] > > > > > > > > > > leo@vmw01:~$ *wget > > > > > http://apache.cs.utah.edu/incubator/netbeans/incubating- > > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > > > 9.0-beta-bin.zip > > > > > <http://apache.cs.utah.edu/incubator/netbeans/incubating- > > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > > > 9.0-beta-bin.zip>* > > > > > --2018-03-07 18:41:41-- > > > > > http://apache.cs.utah.edu/incubator/netbeans/incubating- > > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > > > 9.0-beta-bin.zip > > > > > <http://apache.cs.utah.edu/incubator/netbeans/incubating- > > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > > > 9.0-beta-bin.zip> > > > > > Resolving apache.cs.utah.edu <http://apache.cs.utah.edu> > > > > > (apache.cs.utah.edu <http://apache.cs.utah.edu>)... > > > 155.98.64.87 > > > > > Connecting to apache.cs.utah.edu < > http://apache.cs.utah.edu> > > > > > (apache.cs.utah.edu > > > > > <http://apache.cs.utah.edu>)|155.98.64.87|:80... > connected. > > > > > HTTP request sent, awaiting response... 200 OK > > > > > Length: 167193685 (159M) [application/zip] > > > > > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ > > > > > > > > > > incubating-netbeans-java-9.0-beta-bin > > > > > 100%[========================= > ============================== > > > ================>] > > > > > 159.45M 8.14MB/s in 31s > > > > > > > > > > 2018-03-07 18:42:12 (5.22 MB/s) - > > > > > ‘incubating-netbeans-java-9.0-beta-bin.zip’ saved > > > > > [167193685/167193685] > > > > > > > > > > leo@vmw01:~$ *gpg --import KEYS* > > > > > gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for > > > > > signing Apache NetBeans & co. releases.) < > [email protected] > > > > > <mailto:[email protected]>>" imported > > > > > gpg: key 13E9F7AE3A4FD551: public key "[email protected] > > > > > <mailto:[email protected]> (Key for signing Apache > > NetBeans > > > & > > > > > co. releases.) <[email protected] > > > > > <mailto:[email protected]>>" imported > > > > > gpg: Total number processed: 2 > > > > > gpg: imported: 2 > > > > > leo@vmw01:~$ *gpg --verify > > > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > incubating-netbeans-java-9.0-beta-bin.zip* > > > > > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > > > > > gpg: using RSA key B4C1940FEA9364F1 > > > > > gpg: BAD signature from "Jan Lahoda (Key for signing Apache > > > > > NetBeans & co. releases.) <[email protected] > > > > > <mailto:[email protected]>>" [unknown] > > > > > leo@vmw01:~$ > > > > > > > > > > > > > > > On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell > > > > > <[email protected] <mailto:[email protected] > >> > > > wrote: > > > > > > > > > > I got something slightly different... > > > > > > > > > > I have a good signature when verifying the .asc file, > but > > > > > when I do an md5 or sha1 check on the zip file I get > > > > > different results as to whats currently on the website: > > > > > > > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > > > > > https://dist.apache.org/repos/ > > dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip> > > > > > --2018-03-07 23:48:01-- > > > > > https://dist.apache.org/repos/ > > dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip> > > > > > Resolving dist.apache.org... 209.188.14.144 > > > > > Connecting to dist.apache.org > > > > > <http://dist.apache.org>|209.188.14.144|:443... > > connected. > > > > > HTTP request sent, awaiting response... 200 OK > > > > > Length: 167193685 (159M) [application/octet-stream] > > > > > Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' > > > > > > > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > 100%[========================= > > > ============================================================ > > > ===========================>] > > > > > 159.45M 2.61MB/s in 57s > > > > > > > > > > 2018-03-07 23:48:58 (2.80 MB/s) - > > > > > 'incubating-netbeans-java-9.0-beta-bin.zip' saved > > > > > [167193685/167193685] > > > > > > > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > > > > > https://dist.apache.org/repos/ > > dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc> > > > > > --2018-03-07 23:49:49-- > > > > > https://dist.apache.org/repos/ > > dist/dev/incubator/netbeans/ > > > incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > <https://dist.apache.org/repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc> > > > > > Resolving dist.apache.org... 209.188.14.144 > > > > > Connecting to dist.apache.org > > > > > <http://dist.apache.org>|209.188.14.144|:443... > > connected. > > > > > HTTP request sent, awaiting response... 200 OK > > > > > Length: 833 [text/plain] > > > > > Saving to: 'incubating-netbeans-java-9.0- > > beta-bin.zip.asc' > > > > > > > > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > 100%[========================= > > > ============================================================ > > > ===========================>] > > > > > 833 --.-KB/s in 0s > > > > > > > > > > 2018-03-07 23:49:49 (18.9 MB/s) - > > > > > 'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved > > > [833/833] > > > > > > > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg > --verify > > > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT > > > > > gpg: using RSA key > > > > > 51B0E375B4941714A809F90E13E9F7AE3A4FD551 > > > > > gpg: Good signature from "[email protected] > > > > > <mailto:[email protected]> (Key for signing Apache > > > > > NetBeans & co. releases.) <[email protected] > > > > > <mailto:[email protected]>>" [unknown] > > > > > gpg: WARNING: This key is not certified with a trusted > > > > > signature! > > > > > gpg: There is no indication that the signature > > > > > belongs to the owner. > > > > > Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E > > > 13E9 > > > > > F7AE 3A4F D551 > > > > > > > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 > > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = > > > > > 05d71d0e2a9360b3402c6068425773db > > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum > > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b > > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > > > > > > > Regards > > > > > > > > > > John > > > > > > > > > > On 7 March 2018 at 23:12, Geertjan Wielenga > > > > > <[email protected] > > > > > <mailto:[email protected]>> wrote: > > > > > > > > > > Would be good if someone would verify this -- when > I > > > > > look at the VOTE thread, the source signatures have > > > been > > > > > verified: > > > > > > > > > > https://lists.apache.org/thread.html/ > > > 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@% > > > 3Cdev.netbeans.apache.org%3E > > > > > <https://lists.apache.org/thread.html/ > > > 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@% > > > 3Cdev.netbeans.apache.org%3E> > > > > > > > > > > However, quite possibly the convenience binary > > > signature > > > > > has been checked -- since Apache releases source > code > > > > > and not binaries, which are optionally included for > > > > > convenience only. > > > > > > > > > > Gj > > > > > > > > > > On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue > > > > > <[email protected] <mailto:[email protected]>> > > > wrote: > > > > > > > > > > Hi, > > > > > > > > > > Is this the right list for this question? > > > > > > > > > > I'm trying to verify the PGP ASC and KEY file > > but I > > > > > get a bad signature message. > > > > > > > > > > I'm here: > > > > > https://netbeans.apache.org/ > > > download/nb90/nb90-beta.html > > > > > <https://netbeans.apache.org/ > > > download/nb90/nb90-beta.html> > > > > > > > > > > In Terminal: > > > > > wget > > > > > https://dist.apache.org/repos/ > > > dist/dev/incubator/netbeans/incubating-netbeans-java/ > > incubating-9.0-beta/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > <https://dist.apache.org/ > > repos/dist/dev/incubator/ > > > netbeans/incubating-netbeans-java/incubating-9.0-beta/ > > > incubating-netbeans-java-9.0-beta-bin.zip.asc> > > > > > > > > > > wget > > > > > https://dist.apache.org/repos/ > > > dist/release/incubator/netbeans/KEYS > > > > > <https://dist.apache.org/ > > > repos/dist/release/incubator/netbeans/KEYS> > > > > > > > > > > pgp --import KEYS > > > > > > > > > > gpg --verify > > > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > > Downloads/incubating-netbeans- > > > java-9.0-beta-bin.zip > > > > > > > > > > > > > > > output: > > > > > > > > > > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM > > MST > > > > > gpg: using RSA key > > B4C1940FEA9364F1 > > > > > gpg: BAD signature from "Jan Lahoda (Key for > > > signing > > > > > Apache NetBeans & co. releases.) < > > > [email protected] > > > > > <mailto:[email protected]>>" [unknown] > > > > > > > > > > What did I forget to do? > > > > > > > > > > > > > -- > > > > > > > > To unsubscribe, e-mail: > [email protected] > > > > > > > > For additional commands, e-mail: [email protected]. > > apache.org > > > > > > > > For further information about the NetBeans mailing lists, visit: > > > > > > > > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: > [email protected] > > > > > > For further information about the NetBeans mailing lists, visit: > > > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > > > > > > > > > > > >
