All,
I've fixed up the release candidate. Given the commit head and source code
haven't changed, I've decided to update the RC in place on the apache
dist/dev repo and will keep the voting open on this thread to avoid
spamming your inboxes.
Fixes:
1. The release script in the flagon repo claimed to run git clean -dxf, but
this was actually commented out. I've fixed this in the script.
2. I indeed was signing with a different default key. This has been fixed.
However, please note, your verification call was incorrect. You must do a
one-one mapping between the signatures and their constituent files. For
unix systems, the one-liner below does this:
for a in *.tar.gz *.zip; do gpg2 --verify ${a}.asc ${a}; done
3. I updated the script to use sha512sum. This should ameliorate your
issues, Jason.
Please re-assess the candidate and get your votes in. We'll extend voting
by another 72 hours.
Best
Evan Jones
Website: www.ea-jones.com
On Sat, Mar 23, 2024 at 10:08 AM Evan Jones <evan.a.jon...@gmail.com> wrote:
> Thanks, Jason.
>
> 1. This is odd. I used the script. And explicitly recall it asking about
> git clean.
>
> 2. I was worried about this. I have multiple keys.
>
> 3. I'll update the script to use sha512sum.
>
> Will re-roll later.
>
> Best
>
> Evan Jones
> Website: www.ea-jones.com
>
>
> On Sat, Mar 23, 2024 at 9:55 AM Jason Young <j...@apache.org> wrote:
>
>> -1 from me
>>
>> 1. (blocking) Source artifacts should contain only files tracked by git
>> but there are build files, log files, and .vscode. The
>> make-release-artifacts.sh script should do this, so maybe this is an issue
>> with the script. Otherwise you can remove these files with `git clean -dxf`
>>
>> 2. (blocking) I cannot verify the signatures, I am running:
>> gpg --import KEYS
>> gpg --verify *.asc
>>
>> gpg is using RSA key 1750ADB4640DCF780D97CE2FDC659A327EC07063 to verify,
>> which I'm guessing is a different GPG key on your machine
>>
>> 3. (non-blocking) When I check the hashes with shasum it throws "no
>> properly formatted SHA checksum lines found". I recalculated and compared
>> the hashes and they are correct but formatted differently.
>>
>> Your hashes were generated with gpg --print-md, and I couldn't figure out
>> how to programmatically check this format. Also, Apache recommends shasum
>> for SHA-512 release hashs.
>> https://infra.apache.org/release-signing.html#sha-checksum
>>
>> [Y] Build and Unit Tests Pass
>> [Y] Integration Tests Pass
>> [N] Signatures and Hashes Match Keys
>> [Y] LICENSE, and NOTICE Files in Source and Binary Release Packages
>> [Y] LICENSE, and NOTICE are consistent with ASF and Incubator Policy
>> [Y] CHANGELOG included with release distribution
>> [Y] All Source Files Have Correct ASF Headers
>> [N] No Binary Files in Source Release Packages
>>
>> -Jason
>>
>> On 2024/03/22 00:58:41 Evan Jones wrote:
>> > Hi Folks,
>> >
>> > Please VOTE on the Apache Flagon UserALEjs 2.4.0 Release Candidate # 02.
>> >
>> > About Flagon: http://flagon.apache.org/
>> >
>> > This Minor release includes :
>> > * Refactors Map and Filter APIs as generalized callbacks for
>> > functionality
>> > * Updates packages and dependencies
>> > * Adds additional examples (callback functions)
>> > * Updates to update deprecated downstream dev dependencies
>> > * Changes to documentation, updated examples
>> > * New browser extension setting, password, for basic auth.
>> > * New log fields httpSessionId and browserSessionId
>> > * Callbacks for auth headers and custom headers.
>> > * Example json schema added.
>> >
>> > Git source tag (2.4.0-rc02):
>> > https://github.com/apache/flagon-useralejs/tree/2.4.0-rc02
>> >
>> > Staging repo: https://dist.apache.org/repos/dist/dev/flagon/
>> >
>> > Source Release Artifacts:
>> >
>> https://dist.apache.org/repos/dist/dev/flagon/apache-flagon-useralejs-2.4.0-RC-02/
>> >
>> > PGP release keys (signed using {8/16 char sigID}):
>> > https://github.com/apache/flagon-useralejs/blob/master/KEYS
>> >
>> > Link to Successful Github Actions tests:
>> > https://github.com/apache/flagon-useralejs/actions/runs/8383064872
>> >
>> > Vote will be open for 72 hours. Please VOTE as follows:
>> >
>> > [ ] +1, let's get it released!!!
>> > [ ] +/-0, fine, but consider to fix few issues before...
>> > [ ] -1, nope, because... (and please explain why)
>> >
>> > Along with your VOTE, please indicate testing and checks you've made
>> > against build artifacts, src, and documentation:
>> >
>> > [ ] Build and Unit Tests Pass
>> > [ ] Integration Tests Pass
>> > [ ] Signatures and Hashes Match Keys
>> > [ ] LICENSE, and NOTICE Files in Source and Binary Release Packages
>> > [ ] LICENSE, and NOTICE are consistent with ASF and Incubator Policy
>> > [ ] CHANGELOG included with release distribution
>> > [ ] All Source Files Have Correct ASF Headers
>> > [ ] No Binary Files in Source Release Packages
>> >
>> > Thank you to everyone that is able to VOTE as well as everyone that
>> > contributed to Apache Flagon 2.4.0.
>> >
>> > Best,
>> > Evan Jones
>> >
>>
>
