While we work out a new process, I will make a new object_store RC with my key to keep the code moving. Be on the lookout for a new RC shortly
On Wed, Mar 5, 2025 at 7:32 AM Raphael Taylor-Davies <r.taylordav...@googlemail.com.invalid> wrote: > If the security team are happy with such a process, and it is possible > to restrict access to the relevant people, having an automated workflow > seems like an improvement from my perspective. That being said, I do > think we should retain the ability to do manual releases, as my > experience with such automation is it can also have off days, often at > inopportune times. > > On 05/03/2025 12:06, Jacob Wujciak wrote: > > Actually, given that all releases from apache/arrow-rs are tar-ball > > only with no convenience binaries (afaik), it should be easy to get a > > workflow setup that produces the signed tarball in CI. > > > > This was added to the release policy last year and requires > > reproducible build, which is easy for just a tarball. It will then use > > an INFRA managed GPG key, avoiding such issues as seen here + > > complaints about the key file changing (which we had in apache/arrow). > > > > We already have a workflow that creates the tarball in apache/arrow > > that could be adapted and given to the security team for review > > (policy requirement). We haven't done this so far for apache/arrow as > > we have so many binaries that are also signed. > > > > I'd be happy to help get that set up and handle the review stuff. > > Could ease the releases for arrow-rs, what do you think? > > > > Best > > Jacob > > > > Am Mi., 5. März 2025 um 12:24 Uhr schrieb Raphael Taylor-Davies > > <r.taylordav...@googlemail.com.invalid>: > >> Aah yes, it appears my Apache GPG key has expired, and gpg "helpfully" > >> used an unrelated one. > >> > >> pub rsa4096 2016-11-19 [SC] [expires: 2024-10-03] > >> B90EB64A3AF15545EC8A7B8803F0D5EA3790810C > >> > >> I'll see about getting a new key added, and simultaneously see if I can > >> find another volunteer to shepherd this release through. > >> > >> I'll also make a note to investigate if our verification scripts should > >> be updated to trust just the apache KEYS and ignore any local trusts, as > >> verification passed on my local machine. > >> > >> On 05/03/2025 11:06, Jacob Wujciak wrote: > >>> -1 as I think this was signed with the wrong key? > >>> > >>> gpg: Signature made Wed 05 Mar 2025 11:43:17 AM CET > >>> gpg: using RSA key BF5A4[...] > >>> gpg: Can't check signature: No public key > >>> vs > >>> gpg: key 03F0D5EA3790810C: "Raphael Jaen Taylor-Davies > >>> <r.taylordav...@googlemail.com>" > >>> > >>> Am Mi., 5. März 2025 um 11:47 Uhr schrieb Raphael Taylor-Davies > >>> <r.taylordav...@googlemail.com.invalid>: > >>>> Hi, > >>>> > >>>> I would like to propose a release of Apache Arrow Rust Object > >>>> Store Implementation, version 0.12.0. > >>>> > >>>> This release candidate is based on commit: > >>>> 89a2ef8e06088c29433c41a8d8f6f2a46ba8f399 [1] > >>>> > >>>> The proposed release tarball and signatures are hosted at [2]. > >>>> > >>>> The changelog is located at [3]. > >>>> > >>>> Please download, verify checksums and signatures, run the unit tests, > >>>> and vote on the release. There is a script [4] that automates some of > >>>> the verification. > >>>> > >>>> The vote will be open for at least 72 hours. > >>>> > >>>> [ ] +1 Release this as Apache Arrow Rust Object Store > >>>> [ ] +0 > >>>> [ ] -1 Do not release this as Apache Arrow Rust Object Store > because... > >>>> > >>>> [1]: > >>>> > https://github.com/apache/arrow-rs/tree/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399 > >>>> [2]: > >>>> > https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-object-store-rs-0.12.0-rc1 > >>>> [3]: > >>>> > https://github.com/apache/arrow-rs/blob/89a2ef8e06088c29433c41a8d8f6f2a46ba8f399/object_store/CHANGELOG.md > >>>> [4]: > >>>> > https://github.com/apache/arrow-rs/blob/main/object_store/dev/release/verify-release-candidate.sh > >>>> >
