+1 (binding) Note I had to update verify_release_candidate.sh manually[1] to get the verification to pass.
Also to anyone else interested, Tim and I had a short video call to verify that this is indeed the Tim Saucer I know and thus I have added the key to the KEYS file However, the key isn't verified by another trusted signature and results in the warning below. This is actually the same for Andy Grove's key as well, so I think we should have a "keysigning party" and add your keys to the web of trust. I will follow up with an email separately + gpg --verify ./apache-datafusion-python-44.0.0.tar.gz.asc ./apache-datafusion-python-44.0.0.tar.gz gpg: Signature made Sun Feb 2 17:27:59 2025 EST gpg: using EDDSA key CF6296EE7380F05894FE36443562A212282A90AD gpg: Good signature from "Timothy Saucer <timsau...@gmail.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. After fixing that and commenting out the `pip install` (see [1]) the verification passed + popd /var/folders/1l/tg68jc6550gg8xqf1hr4mlwr0000gn/T/datafusion-python-44.0.0.XXXXX.q8U6Obzdcw + TEST_SUCCESS=yes + echo 'Release candidate looks good!' Release candidate looks good! + exit 0 + cleanup + '[' yes = yes ']' + rm -fr /var/folders/1l/tg68jc6550gg8xqf1hr4mlwr0000gn/T/datafusion-python-44.0.0.XXXXX.q8U6Obzdcw [1]: https://github.com/apache/datafusion-python/pull/1012 On Sun, Feb 2, 2025 at 8:05 PM Tim Saucer <timsau...@gmail.com> wrote: > Ah, I didn’t see that I needed to do that. I’ll upload in the morning. > Thank you for catching the issue. > > > On Feb 2, 2025, at 7:24 PM, Andrew Lamb <andrewlam...@gmail.com> wrote: > > > > Thanks for doing this Tim! > > > > As we have met in person, perhaps we could/should have a keysigning party > > (aka zoom call) where I can sign and add your keys > > > > One thing I noticed is that I can't find the key used for for keysigning > > > > andrewlamb@Andrews-MacBook-Pro-2:~/Downloads$ gpg --verify > > apache-datafusion-python-44.0.0.tar.gz.asc > > gpg: assuming signed data in 'apache-datafusion-python-44.0.0.tar.gz' > > gpg: Signature made Sun Feb 2 17:27:59 2025 EST > > gpg: using EDDSA key > CF6296EE7380F05894FE36443562A212282A90AD > > gpg: Can't check signature: No public key > > > > I also check on the ubuntu keyserver and it wasn't there either: > > > https://keyserver.ubuntu.com/pks/lookup?search=CF6296EE7380F05894FE36443562A212282A90AD&fingerprint=on&op=index > > > > > > This also caused the release verification script for me to fail: > > > > $ apache-datafusion-python-44.0.0$ > > ./dev/release/verify-release-candidate.sh 44.0.0 1 > > ... > > > > + artifact=./apache-datafusion-python-44.0.0.tar.gz > > + gpg --verify ./apache-datafusion-python-44.0.0.tar.gz.asc > > ./apache-datafusion-python-44.0.0.tar.gz > > gpg: Signature made Sun Feb 2 17:27:59 2025 EST > > gpg: using EDDSA key > CF6296EE7380F05894FE36443562A212282A90AD > > gpg: Can't check signature: No public key > > + exit 1 > > > > > > > >> On Sun, Feb 2, 2025 at 6:15 PM Tim Saucer <timsau...@gmail.com> wrote: > >> > >> Hi, > >> > >> I would like to propose a release of the Apache DataFusion Python > Bindings, > >> version 44.0.0. > >> > >> This release candidate is based on commit: > >> f5a9f25080a6774d9dd202774baae8a659b2e396 [1] > >> The proposed release tarball and signatures are hosted at [2]. > >> The changelog is located at [3]. > >> The Python wheels are located at [4]. > >> > >> Please download, verify checksums and signatures, run the unit tests, > and > >> vote > >> on the release. The vote will be open for at least 72 hours. > >> > >> Only votes from PMC members are binding, but all members of the > community > >> are > >> encouraged to test the release and vote with "(non-binding)". > >> > >> The standard verification procedure is documented at > >> > >> > https://github.com/apache/datafusion-python/blob/main/dev/release/README.md#verifying-release-candidates > >> . > >> > >> [ ] +1 Release this as Apache DataFusion Python 44.0.0 > >> [ ] +0 > >> [ ] -1 Do not release this as Apache DataFusion Python 44.0.0 because... > >> > >> Here is my vote: > >> > >> +1 (non-binding) > >> > >> [1]: > >> > >> > https://github.com/apache/datafusion-python/tree/f5a9f25080a6774d9dd202774baae8a659b2e396 > >> [2]: > >> > >> > https://dist.apache.org/repos/dist/dev/datafusion/apache-datafusion-python-44.0.0-rc1 > >> [3]: > >> > >> > https://github.com/apache/datafusion-python/blob/f5a9f25080a6774d9dd202774baae8a659b2e396/CHANGELOG.md > >> [4]: https://test.pypi.org/project/datafusion/44.0.0/ > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@datafusion.apache.org > For additional commands, e-mail: dev-h...@datafusion.apache.org > >
