Hi, Jacob This looks great. I'm interested in following the same setup in OpenDAL as well.
On Wed, Mar 5, 2025, at 20:06, Jacob Wujciak wrote: > Actually, given that all releases from apache/arrow-rs are tar-ball > only with no convenience binaries (afaik), it should be easy to get a > workflow setup that produces the signed tarball in CI. > > This was added to the release policy last year and requires > reproducible build, which is easy for just a tarball. It will then use > an INFRA managed GPG key, avoiding such issues as seen here + > complaints about the key file changing (which we had in apache/arrow). > > We already have a workflow that creates the tarball in apache/arrow > that could be adapted and given to the security team for review > (policy requirement). We haven't done this so far for apache/arrow as > we have so many binaries that are also signed. > > I'd be happy to help get that set up and handle the review stuff. > Could ease the releases for arrow-rs, what do you think? > > Best > Jacob > > Am Mi., 5. März 2025 um 12:24 Uhr schrieb Raphael Taylor-Davies > <r.taylordav...@googlemail.com.invalid>: >> >> Aah yes, it appears my Apache GPG key has expired, and gpg "helpfully" >> used an unrelated one. >> >> pub rsa4096 2016-11-19 [SC] [expires: 2024-10-03] >> B90EB64A3AF15545EC8A7B8803F0D5EA3790810C >> >> I'll see about getting a new key added, and simultaneously see if I can >> find another volunteer to shepherd this release through. >> >> I'll also make a note to investigate if our verification scripts should >> be updated to trust just the apache KEYS and ignore any local trusts, as >> verification passed on my local machine. >> >> On 05/03/2025 11:06, Jacob Wujciak wrote: >> > -1 as I think this was signed with the wrong key? >> > >> > gpg: Signature made Wed 05 Mar 2025 11:43:17 AM CET >> > gpg: using RSA key BF5A4[...] >> > gpg: Can't check signature: No public key >> > vs >> > gpg: key 03F0D5EA3790810C: "Raphael Jaen Taylor-Davies >> > <r.taylordav...@googlemail.com>" >> > >> > Am Mi., 5. März 2025 um 11:47 Uhr schrieb Raphael Taylor-Davies >> > <r.taylordav...@googlemail.com.invalid>: >> >> Hi, >> >> >> >> I would like to propose a release of Apache Arrow Rust Object >> >> Store Implementation, version 0.12.0. >> >> >> >> This release candidate is based on commit: >> >> 89a2ef8e06088c29433c41a8d8f6f2a46ba8f399 [1] >> >> >> >> The proposed release tarball and signatures are hosted at [2]. >> >> >> >> The changelog is located at [3]. >> >> >> >> Please download, verify checksums and signatures, run the unit tests, >> >> and vote on the release. There is a script [4] that automates some of >> >> the verification. >> >> >> >> The vote will be open for at least 72 hours. >> >> >> >> [ ] +1 Release this as Apache Arrow Rust Object Store >> >> [ ] +0 >> >> [ ] -1 Do not release this as Apache Arrow Rust Object Store because... >> >> >> >> [1]: >> >> https://github.com/apache/arrow-rs/tree/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399 >> >> [2]: >> >> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-object-store-rs-0.12.0-rc1 >> >> [3]: >> >> https://github.com/apache/arrow-rs/blob/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399/object_store/CHANGELOG.md >> >> [4]: >> >> https://github.com/apache/arrow-rs/blob/main/object_store/dev/release/verify-release-candidate.sh >> >> -- Xuanwo https://xuanwo.io/
