Francis, This vote has been open for over a month. As release manager, do you have the information necessary to cancel the vote or announce a result? We need to move on.
Julian > On Apr 20, 2021, at 3:32 PM, Francis Chuang <[email protected]> wrote: > > Hey Josh, > > I believe the short key id uses the last 8 characters of the key id. > > This is the output when listing my secret keys: > ❯ gpg --list-secret-keys > /home/francis/.gnupg/pubring.kbx > -------------------------------- > sec rsa4096 2018-04-16 [SC] > 635665E0BE3F72552910CB74BBE44E923A970AB7 > uid [ultimate] Francis Chuang <[email protected]> > ssb rsa4096 2018-04-16 [E] > > This is the entry in KEYS: > -----END PGP PUBLIC KEY BLOCK----- > > pub rsa4096/3A970AB7 2018-04-16 [SC] > uid [ultimate] Francis Chuang <[email protected]> > sig 3 3A970AB7 2018-04-16 Francis Chuang <[email protected]> > sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY) > <[email protected]> > sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR) > <[email protected]> > sub rsa4096/34BCCFB3 2018-04-16 [E] > sig 3A970AB7 2018-04-16 Francis Chuang <[email protected]> > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > The last 8 characters of they key id in both short and long formats match: > 635665E0BE3F72552910CB74BBE44E923A970AB7 > 3A970AB7 > > Francis > > On 21/04/2021 4:14 am, Josh Elser wrote: >> Uh, I'm confused too and seeing the same thing that Julian saw. >> The key 635665E0 does not exist in the >> https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is >> 3A970AB7. >> I don't see this key in pgp.mit.edu when I search, either. I can't seem to >> find a server which responds to do a `gpg --search-key` either. >> Vladimir -- were you able to validate the signature? If so, do you have this >> key in `gpg --fingerprint`? >> On 4/8/21 1:59 PM, Julian Hyde wrote: >>> Makes sense. I am forever confused by signing & keys. If other people have >>> no concerns, then I’m fine. >>> >>>> On Apr 8, 2021, at 1:43 AM, Francis Chuang <[email protected]> >>>> wrote: >>>> >>>> Regarding the key, I wonder if it's because my key was only signed by 2 >>>> other individuals. See here [1] and here [2]. >>>> >>>> [1] >>>> https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature >>>> >>>> [2] >>>> https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209 >>>> >>>> >>>> On 8/04/2021 5:08 pm, Julian Hyde wrote: >>>>> 1. Regarding the key. Even after doing >>>>> $ gpg --import ~/apache/dist/release/calcite/KEYS >>>>> I got the following error: >>>>> $ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc >>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' >>>>> gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT >>>>> gpg: using RSA key 635665E0BE3F72552910CB74BBE44E923A970AB7 >>>>> gpg: Good signature from "Francis Chuang <[email protected]>" >>>>> [unknown] >>>>> gpg: WARNING: This key is not certified with a trusted signature! >>>>> gpg: There is no indication that the signature belongs to the >>>>> owner. >>>>> Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92 3A97 >>>>> 0AB7 >>>>> 2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too. >>>>> 3. Regarding LICENSE. Yes, we had a discussion before, and I don’t recall >>>>> where it ended up. My opinion is that neither the release plugin (nor the >>>>> release manager) should be modifying source files. >>>>> Julian >>>>>> On Apr 7, 2021, at 11:57 PM, Francis Chuang <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Hey Julian, >>>>>> >>>>>> The key I used to sign the release is the same as the one in KEYS: >>>>>> >>>>>> gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc >>>>>> gpg: assuming signed data in 'apache-calcite-avatica-1.18.0-src.tar.gz' >>>>>> gpg: Signature made Thu Apr 8 09:23:27 2021 AEST >>>>>> gpg: using RSA key >>>>>> 635665E0BE3F72552910CB74BBE44E923A970AB7 >>>>>> gpg: Good signature from "Francis Chuang <[email protected]>" [ultimate] >>>>>> >>>>>> For the 2 issues: >>>>>> - The gradle-wrapper.jar issue probably affects calcite as well, so we >>>>>> need to get this fixed in both repos. >>>>>> - I believe the license is generated by the release plugin. I think >>>>>> there was some discussion on the mailing list in the past, but I can't >>>>>> find the threads for some reason. >>>>>> >>>>>> Francis >>>>>> >>>>>> On 8/04/2021 4:01 pm, Julian Hyde wrote: >>>>>>> Francis, >>>>>>> Thank you for getting this release done. We lost momentum and I >>>>>>> appreciate you pushing through. >>>>>>> Is this a different key than your existing key in KEYS? If so can you >>>>>>> add it to https://dist.apache.org/repos/dist/release/calcite/KEYS? >>>>>>> <https://dist.apache.org/repos/dist/release/calcite/KEYS?> >>>>>>> Downloaded, checked signatures, checked NOTICE, LICENSE, copyright >>>>>>> dates, built on Linux/JDK 11 and ran tests, ran RAT. >>>>>>> Two problems: >>>>>>> * tar.gz contains a binary file (gradle/wrapper/gradle-wrapper.jar). >>>>>>> I recently became aware that this is a breach of Apache release policy; >>>>>>> see https://issues.apache.org/jira/browse/LEGAL-288 >>>>>>> <https://issues.apache.org/jira/browse/LEGAL-288>. >>>>>>> * LICENSE in the tar.gz differs from LICENSE in git >>>>>>> -1 (binding) due the above two problems. >>>>>>> Julian >>>>>>>> On Apr 7, 2021, at 4:33 PM, Francis Chuang <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I have created a build for Apache Calcite Avatica 1.18.0, release >>>>>>>> candidate 0. >>>>>>>> >>>>>>>> Thanks to everyone who has contributed to this release. >>>>>>>> >>>>>>>> You can read the release notes here: >>>>>>>> https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md >>>>>>>> >>>>>>>> >>>>>>>> The commit to be voted upon: >>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6 >>>>>>>> >>>>>>>> >>>>>>>> Its hash is 9486557be86bcade35d814d8a81be638395f57c6 >>>>>>>> >>>>>>>> Tag: >>>>>>>> https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0 >>>>>>>> >>>>>>>> >>>>>>>> The artifacts to be voted on are located here: >>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0 >>>>>>>> >>>>>>>> (revision 46928) >>>>>>>> >>>>>>>> The hashes of the artifacts are as follows: >>>>>>>> a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772 >>>>>>>> >>>>>>>> *apache-calcite-avatica-1.18.0-src.tar.gz >>>>>>>> >>>>>>>> A staged Maven repository is available for review at: >>>>>>>> https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/ >>>>>>>> >>>>>>>> >>>>>>>> Release artifacts are signed with the following key: >>>>>>>> https://people.apache.org/keys/committer/francischuang.asc >>>>>>>> https://www.apache.org/dist/calcite/KEYS >>>>>>>> >>>>>>>> N.B. >>>>>>>> To create the jars and test Apache Calcite Avatica: "./gradlew build >>>>>>>> -Prelease -PskipSign". >>>>>>>> >>>>>>>> If you do not have a Java environment available, you can run the tests >>>>>>>> using docker. To do so, install docker and docker-compose, then run >>>>>>>> "docker-compose run test" from the root of the directory. >>>>>>>> >>>>>>>> Please vote on releasing this package as Apache Calcite Avatica 1.18.0. >>>>>>>> >>>>>>>> The vote is open for the next 72 hours and passes if a majority of at >>>>>>>> least three +1 PMC votes are cast. >>>>>>>> >>>>>>>> [ ] +1 Release this package as Apache Calcite 1.18.0 >>>>>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release >>>>>>>> [ ] -1 Do not release this package because... >>>>>>>> >>>>>>>> >>>>>>>> Here is my vote: >>>>>>>> >>>>>>>> +1 (binding) >>>>>>>> >>>>>>>> Francis >>>
