Regarding the key, I wonder if it's because my key was only signed by 2
other individuals. See here [1] and here [2].
[1]
https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
[2]
https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
On 8/04/2021 5:08 pm, Julian Hyde wrote:
1. Regarding the key. Even after doing
$ gpg --import ~/apache/dist/release/calcite/KEYS
I got the following error:
$ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7
2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall where
it ended up. My opinion is that neither the release plugin (nor the release
manager) should be modifying source files.
Julian
On Apr 7, 2021, at 11:57 PM, Francis Chuang <[email protected]> wrote:
Hey Julian,
The key I used to sign the release is the same as the one in KEYS:
gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang <[email protected]>" [ultimate]
For the 2 issues:
- The gradle-wrapper.jar issue probably affects calcite as well, so we need to
get this fixed in both repos.
- I believe the license is generated by the release plugin. I think there was
some discussion on the mailing list in the past, but I can't find the threads
for some reason.
Francis
On 8/04/2021 4:01 pm, Julian Hyde wrote:
Francis,
Thank you for getting this release done. We lost momentum and I appreciate you
pushing through.
Is this a different key than your existing key in KEYS? If so can you add it to
https://dist.apache.org/repos/dist/release/calcite/KEYS?
<https://dist.apache.org/repos/dist/release/calcite/KEYS?>
Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, built
on Linux/JDK 11 and ran tests, ran RAT.
Two problems:
* tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I recently
became aware that this is a breach of Apache release policy; see
https://issues.apache.org/jira/browse/LEGAL-288
<https://issues.apache.org/jira/browse/LEGAL-288>.
* LICENSE in the tar.gz differs from LICENSE in git
-1 (binding) due the above two problems.
Julian
On Apr 7, 2021, at 4:33 PM, Francis Chuang <[email protected]> wrote:
Hi all,
I have created a build for Apache Calcite Avatica 1.18.0, release
candidate 0.
Thanks to everyone who has contributed to this release.
You can read the release notes here:
https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
The commit to be voted upon:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
Its hash is 9486557be86bcade35d814d8a81be638395f57c6
Tag:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
The artifacts to be voted on are located here:
https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
(revision 46928)
The hashes of the artifacts are as follows:
a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
*apache-calcite-avatica-1.18.0-src.tar.gz
A staged Maven repository is available for review at:
https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/francischuang.asc
https://www.apache.org/dist/calcite/KEYS
N.B.
To create the jars and test Apache Calcite Avatica: "./gradlew build -Prelease
-PskipSign".
If you do not have a Java environment available, you can run the tests
using docker. To do so, install docker and docker-compose, then run
"docker-compose run test" from the root of the directory.
Please vote on releasing this package as Apache Calcite Avatica 1.18.0.
The vote is open for the next 72 hours and passes if a majority of at
least three +1 PMC votes are cast.
[ ] +1 Release this package as Apache Calcite 1.18.0
[ ] 0 I don't feel strongly about it, but I'm okay with the release
[ ] -1 Do not release this package because...
Here is my vote:
+1 (binding)
Francis
