If the security team are happy with such a process, and it is possible
to restrict access to the relevant people, having an automated workflow
seems like an improvement from my perspective. That being said, I do
think we should retain the ability to do manual releases, as my
experience with such automation is it can also have off days, often at
inopportune times.
On 05/03/2025 12:06, Jacob Wujciak wrote:
Actually, given that all releases from apache/arrow-rs are tar-ball
only with no convenience binaries (afaik), it should be easy to get a
workflow setup that produces the signed tarball in CI.
This was added to the release policy last year and requires
reproducible build, which is easy for just a tarball. It will then use
an INFRA managed GPG key, avoiding such issues as seen here +
complaints about the key file changing (which we had in apache/arrow).
We already have a workflow that creates the tarball in apache/arrow
that could be adapted and given to the security team for review
(policy requirement). We haven't done this so far for apache/arrow as
we have so many binaries that are also signed.
I'd be happy to help get that set up and handle the review stuff.
Could ease the releases for arrow-rs, what do you think?
Best
Jacob
Am Mi., 5. März 2025 um 12:24 Uhr schrieb Raphael Taylor-Davies
<r.taylordav...@googlemail.com.invalid>:
Aah yes, it appears my Apache GPG key has expired, and gpg "helpfully"
used an unrelated one.
pub rsa4096 2016-11-19 [SC] [expires: 2024-10-03]
B90EB64A3AF15545EC8A7B8803F0D5EA3790810C
I'll see about getting a new key added, and simultaneously see if I can
find another volunteer to shepherd this release through.
I'll also make a note to investigate if our verification scripts should
be updated to trust just the apache KEYS and ignore any local trusts, as
verification passed on my local machine.
On 05/03/2025 11:06, Jacob Wujciak wrote:
-1 as I think this was signed with the wrong key?
gpg: Signature made Wed 05 Mar 2025 11:43:17 AM CET
gpg: using RSA key BF5A4[...]
gpg: Can't check signature: No public key
vs
gpg: key 03F0D5EA3790810C: "Raphael Jaen Taylor-Davies
<r.taylordav...@googlemail.com>"
Am Mi., 5. März 2025 um 11:47 Uhr schrieb Raphael Taylor-Davies
<r.taylordav...@googlemail.com.invalid>:
Hi,
I would like to propose a release of Apache Arrow Rust Object
Store Implementation, version 0.12.0.
This release candidate is based on commit:
89a2ef8e06088c29433c41a8d8f6f2a46ba8f399 [1]
The proposed release tarball and signatures are hosted at [2].
The changelog is located at [3].
Please download, verify checksums and signatures, run the unit tests,
and vote on the release. There is a script [4] that automates some of
the verification.
The vote will be open for at least 72 hours.
[ ] +1 Release this as Apache Arrow Rust Object Store
[ ] +0
[ ] -1 Do not release this as Apache Arrow Rust Object Store because...
[1]:
https://github.com/apache/arrow-rs/tree/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399
[2]:
https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-object-store-rs-0.12.0-rc1
[3]:
https://github.com/apache/arrow-rs/blob/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399/object_store/CHANGELOG.md
[4]:
https://github.com/apache/arrow-rs/blob/main/object_store/dev/release/verify-release-candidate.sh
