1. Regarding the key. Even after doing $ gpg --import ~/apache/dist/release/calcite/KEYS
I got the following error: $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7 gpg: Good signature from "Francis Chuang <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too. 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where it ended up. My opinion is that neither the release plugin (nor the release manager) should be modifying source files. Julian > On Apr 7, 2021, at 11:57 PM, Francis Chuang <[email protected]> wrote: > > Hey Julian, > > The key I used to sign the release is the same as the one in KEYS: > > gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc > gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' > gpg: Signature made Thu Apr 8 09:23:27 2021 AEST > gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7 > gpg: Good signature from "Francis Chuang <[email protected]>" [ultimate] > > For the 2 issues: > - The gradle-wrapper.jar issue probably affects calcite as well, so we need > to get this fixed in both repos. > - I believe the license is generated by the release plugin. I think there was > some discussion on the mailing list in the past, but I can't find the threads > for some reason. > > Francis > > On 8/04/2021 4:01 pm, Julian Hyde wrote: >> Francis, >> Thank you for getting this release done. We lost momentum and I appreciate >> you pushing through. >> Is this a different key than your existing key in KEYS? If so can you add it >> to https://dist.apache.org/repos/dist/release/calcite/KEYS? >> <https://dist.apache.org/repos/dist/release/calcite/KEYS?> >> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, >> built on Linux/JDK 11 and ran tests, ran RAT. >> Two problems: >> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I >> recently became aware that this is a breach of Apache release policy; see >> https://issues.apache.org/jira/browse/LEGAL-288 >> <https://issues.apache.org/jira/browse/LEGAL-288>. >> * LICENSE in the tar.gz differs from LICENSE in git >> -1 (binding) due the above two problems. >> Julian >>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <[email protected]> wrote: >>> >>> Hi all, >>> >>> I have created a build for Apache Calcite Avatica 1.18.0, release >>> candidate 0. >>> >>> Thanks to everyone who has contributed to this release. >>> >>> You can read the release notes here: >>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md >>> >>> The commit to be voted upon: >>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6 >>> >>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6 >>> >>> Tag: >>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0 >>> >>> The artifacts to be voted on are located here: >>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0 >>> (revision 46928) >>> >>> The hashes of the artifacts are as follows: >>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772 >>> *apache-calcite-avatica-1.18.0-src.tar.gz >>> >>> A staged Maven repository is available for review at: >>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/ >>> >>> Release artifacts are signed with the following key: >>> https://people.apache.org/keys/committer/francischuang.asc >>> https://www.apache.org/dist/calcite/KEYS >>> >>> N.B. >>> To create the jars and test Apache Calcite Avatica: "./gradlew build >>> -Prelease -PskipSign". >>> >>> If you do not have a Java environment available, you can run the tests >>> using docker. To do so, install docker and docker-compose, then run >>> "docker-compose run test" from the root of the directory. >>> >>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0. >>> >>> The vote is open for the next 72 hours and passes if a majority of at >>> least three +1 PMC votes are cast. >>> >>> [ ] +1 Release this package as Apache Calcite 1.18.0 >>> [ ] 0 I don't feel strongly about it, but I'm okay with the release >>> [ ] -1 Do not release this package because... >>> >>> >>> Here is my vote: >>> >>> +1 (binding) >>> >>> Francis
