I created a PR to remove the docs.tgz file. I am not sure how that got there.
https://github.com/apache/datafusion/pull/10416 I think the untrusted key warning has always been there for more but is more noticeable here due to the smaller number of keys. I think I need to organize a key-signing party to become part of the web of trust. Andy. > On May 7, 2024, at 10:38 AM, Andrew Lamb <andrewlam...@gmail.com> wrote: > > +1 (binding) -- thank you Andy! > > I verified on mac M3. > > One thing I noticed is that the archive[1] is 46 MB compared to previous > releases that were more like 6MB 37.1.0 [2] > > $ du -s -h apache-*.tar.gz > 6.0M apache-arrow-datafusion-37.1.0.tar.gz > 46M apache-datafusion-38.0.0.tar.gz > > Most of this difference appears to be a doc archive, which appear to be > added in [3] > $ du -s -h apache-datafusion-38.0.0/docs/docs.tgz > 40M apache-datafusion-38.0.0/docs/docs.tgz > > Also, possibly interesting is that despite importing the KEYs file I get an > error about non trusted keys: > > andrewlamb@Andrews-MacBook-Pro-2:~/Downloads$ gpg --import KEYS > gpg: WARNING: server 'keyboxd' is older than us (2.4.4 < 2.4.5) > gpg: Note: Outdated servers may lack important security fixes. > gpg: Note: Use the command "gpgconf --kill all" to restart them. > gpg: Note: third-party key signatures using the SHA1 algorithm are rejected > gpg: (use option "--allow-weak-key-signatures" to override) > gpg: key F105883A1735623D: 1 bad signature > gpg: WARNING: server 'keyboxd' is older than us (2.4.4 < 2.4.5) > gpg: Note: Outdated servers may lack important security fixes. > gpg: Note: Use the command "gpgconf --kill all" to restart them. > gpg: key F105883A1735623D: "William Wesley McKinney (CODE SIGNING KEY) < > w...@apache.org>" not changed > gpg: key 45127976E1E825D4: "Andrew A Lamb (https://github.com/alamb) < > and...@nerdnetworks.org>" not changed > gpg: key CA1AB41406F9DBAD: "Qingping Hou (CODE SIGNING KEY) < > ho...@apache.org>" not changed > gpg: key 0B8A854E87467E2C: "Andy Grove <agr...@apache.org>" not changed > gpg: Total number processed: 4 > gpg: unchanged: 4 > andrewlamb@Andrews-MacBook-Pro-2:~/Downloads$ gpg --verify > apache-datafusion-38.0.0.tar.gz.asc > gpg: assuming signed data in 'apache-datafusion-38.0.0.tar.gz' > gpg: Signature made Tue May 7 11:21:15 2024 EDT > gpg: using RSA key B6550C65A4B9EE9F26111DB40B8A854E87467E2C > gpg: WARNING: server 'keyboxd' is older than us (2.4.4 < 2.4.5) > gpg: Note: Outdated servers may lack important security fixes. > gpg: Note: Use the command "gpgconf --kill all" to restart them. > gpg: WARNING: server 'keyboxd' is older than us (2.4.4 < 2.4.5) > gpg: Note: Outdated servers may lack important security fixes. > gpg: Note: Use the command "gpgconf --kill all" to restart them. > gpg: Good signature from "Andy Grove <agr...@apache.org>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: B655 0C65 A4B9 EE9F 2611 1DB4 0B8A 854E 8746 7E2C > andrewlamb@Andrews-MacBook-Pro-2:~/Downloads$ > > > [1] > https://dist.apache.org/repos/dist/dev/datafusion/apache-datafusion-38.0.0-rc1/apache-datafusion-38.0.0.tar.gz > [2] > https://dist.apache.org/repos/dist/release/arrow/arrow-datafusion-37.1.0/apache-arrow-datafusion-37.1.0.tar.gz > [3] > https://github.com/apache/datafusion/pull/10407#pullrequestreview-2043665752 > > On Tue, May 7, 2024 at 11:30 AM Andy Grove <andy.gr...@apple.com.invalid> > wrote: > >> Hi, >> >> I would like to propose a release of Apache DataFusion version 38.0.0. >> >> This release candidate is based on commit: >> cafbc9ddceb5af8c6408d0c8bbfed7568f655ddb [1] >> The proposed release tarball and signatures are hosted at [2]. >> The changelog is located at [3]. >> >> Please download, verify checksums and signatures, run the unit tests, and >> vote >> on the release. The vote will be open for at least 72 hours. >> >> Only votes from PMC members are binding, but all members of the community >> are >> encouraged to test the release and vote with "(non-binding)". >> >> The standard verification procedure is documented at >> https://github.com/apache/datafusion/blob/main/dev/release/README.md#verifying-release-candidates >> . >> >> [ ] +1 Release this as Apache DataFusion 38.0.0 >> [ ] +0 >> [ ] -1 Do not release this as Apache DataFusion 38.0.0 because... >> >> Here is my vote: >> >> +1 >> >> [1]: >> https://github.com/apache/datafusion/tree/cafbc9ddceb5af8c6408d0c8bbfed7568f655ddb >> [2]: >> https://dist.apache.org/repos/dist/dev/datafusion/apache-datafusion-38.0.0-rc1 >> [3]: >> https://github.com/apache/datafusion/blob/cafbc9ddceb5af8c6408d0c8bbfed7568f655ddb/CHANGELOG.md >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@datafusion.apache.org >> For additional commands, e-mail: dev-h...@datafusion.apache.org >> >>
