Makes sense. I am forever confused by signing & keys. If other people have no concerns, then I’m fine.
> On Apr 8, 2021, at 1:43 AM, Francis Chuang <[email protected]> wrote: > > Regarding the key, I wonder if it's because my key was only signed by 2 other > individuals. See here [1] and here [2]. > > [1] > https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature > [2] > https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209 > > On 8/04/2021 5:08 pm, Julian Hyde wrote: >> 1. Regarding the key. Even after doing >> $ gpg --import ~/apache/dist/release/calcite/KEYS >> I got the following error: >> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc >> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' >> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT >> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7 >> gpg: Good signature from "Francis Chuang <[email protected]>" >> [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 0AB7 >> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too. >> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall >> where it ended up. My opinion is that neither the release plugin (nor the >> release manager) should be modifying source files. >> Julian >>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <[email protected]> >>> wrote: >>> >>> Hey Julian, >>> >>> The key I used to sign the release is the same as the one in KEYS: >>> >>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc >>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' >>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST >>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7 >>> gpg: Good signature from "Francis Chuang <[email protected]>" [ultimate] >>> >>> For the 2 issues: >>> - The gradle-wrapper.jar issue probably affects calcite as well, so we need >>> to get this fixed in both repos. >>> - I believe the license is generated by the release plugin. I think there >>> was some discussion on the mailing list in the past, but I can't find the >>> threads for some reason. >>> >>> Francis >>> >>> On 8/04/2021 4:01 pm, Julian Hyde wrote: >>>> Francis, >>>> Thank you for getting this release done. We lost momentum and I appreciate >>>> you pushing through. >>>> Is this a different key than your existing key in KEYS? If so can you add >>>> it to https://dist.apache.org/repos/dist/release/calcite/KEYS? >>>> <https://dist.apache.org/repos/dist/release/calcite/KEYS?> >>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright dates, >>>> built on Linux/JDK 11 and ran tests, ran RAT. >>>> Two problems: >>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). I >>>> recently became aware that this is a breach of Apache release policy; see >>>> https://issues.apache.org/jira/browse/LEGAL-288 >>>> <https://issues.apache.org/jira/browse/LEGAL-288>. >>>> * LICENSE in the tar.gz differs from LICENSE in git >>>> -1 (binding) due the above two problems. >>>> Julian >>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <[email protected]> >>>>> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> I have created a build for Apache Calcite Avatica 1.18.0, release >>>>> candidate 0. >>>>> >>>>> Thanks to everyone who has contributed to this release. >>>>> >>>>> You can read the release notes here: >>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md >>>>> >>>>> The commit to be voted upon: >>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6 >>>>> >>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6 >>>>> >>>>> Tag: >>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0 >>>>> >>>>> The artifacts to be voted on are located here: >>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0 >>>>> (revision 46928) >>>>> >>>>> The hashes of the artifacts are as follows: >>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772 >>>>> *apache-calcite-avatica-1.18.0-src.tar.gz >>>>> >>>>> A staged Maven repository is available for review at: >>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/ >>>>> >>>>> Release artifacts are signed with the following key: >>>>> https://people.apache.org/keys/committer/francischuang.asc >>>>> https://www.apache.org/dist/calcite/KEYS >>>>> >>>>> N.B. >>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build >>>>> -Prelease -PskipSign". >>>>> >>>>> If you do not have a Java environment available, you can run the tests >>>>> using docker. To do so, install docker and docker-compose, then run >>>>> "docker-compose run test" from the root of the directory. >>>>> >>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0. >>>>> >>>>> The vote is open for the next 72 hours and passes if a majority of at >>>>> least three +1 PMC votes are cast. >>>>> >>>>> [ ] +1 Release this package as Apache Calcite 1.18.0 >>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release >>>>> [ ] -1 Do not release this package because... >>>>> >>>>> >>>>> Here is my vote: >>>>> >>>>> +1 (binding) >>>>> >>>>> Francis
