Thanks again for all the input! Both Geode and Geode Native source distributions are now signed with an armored signature. Release manager docs are updated accordingly.
I also added tickets to make the geode build also the sign source release <https://issues.apache.org/jira/browse/GEODE-6124> and increase the checksum to SHA 512 for core <https://issues.apache.org/jira/browse/GEODE-6125> and examples <https://issues.apache.org/jira/browse/GEODE-6126>. If we agree on not having a ZIP file for core and native we should be consistent in the next release and remove the ZIPs form examples as well. On Mon, Dec 3, 2018 at 10:23 AM Robert Houghton <rhough...@pivotal.io> wrote: > +1. Thanks Owen > > On Mon, Dec 3, 2018, 10:07 Owen Nichols <onich...@pivotal.io wrote: > > > > 2. No zip file for the geode, just .tgz. > > > > I believe this was changed a few months ago to simplify our build and > > release process. Distributing as both .zip and .tgz is a relic of a time > > before WinZip, WinRar, 7-Zip, and most other popular zip utilities gained > > native support for .tgz archives. If there is still a segment of the > Geode > > user community that would suffer hardship due to lack of .zip packaging, > we > > should revisit this decision. > > > > -Owen > > > > > > > On Dec 3, 2018, at 9:52 AM, Dan Smith <dsm...@pivotal.io> wrote: > > > > > > I see a few things with the artifacts that I think should be tweaked > > > 1. No pgp signature for the sources! > > > 2. No zip file for the geode, just .tgz. Older releases on our website > > have > > > both zip and tgz. See the differences between [1] and [2] > > > 3. pgp signature for the native source is not ascii armored. See [3] > > > > > > Regarding SHA512 vs SHA256 - we should probably just move everything to > > > SHA512 in the future. > > > > > > [1] https://dist.apache.org/repos/dist/dev/geode/1.8.0.RC1/ > > > [2] https://www.apache.org/dist/geode/1.7.0/ > > > [3] https://www.apache.org/dev/release-signing.html#signing-basics > > > > > > On Mon, Dec 3, 2018 at 9:24 AM Alexander Murmann <amurm...@pivotal.io> > > > wrote: > > > > > >> Thanks for taking such a detailed a look, Nabarun! That's awesome > input. > > >> > > >> 1. Is there a reason why geode-native is signed with SHA512 while all > > the > > >>> rest are signed with SHA256? > > >> > > >> Not really. I used the defaults provided by the Gradle signing task in > > the > > >> case of the core codebase and the GPG tool's default when signing the > > >> native code. I noticed that GPG's default was larger, but figured more > > bits > > >> are better bits and come at pretty much no additional cost. If this is > > >> confusing, I am happy to sign with a smaller hash or at least at > > >> documentation for doing so more consistently in the next release. > > >> Any opinions on how to proceed with this? > > >> > > >> 2. Are there any directions / documentation on how to verify the > > >>> geode-native release components? > > >> > > >> I unpacked the release and followed the instructions in building.md. > > >> Someone who has contributed more to the Native code base might have > much > > >> better steps in mind. Pleas chime in! > > >> > > >> On Mon, Dec 3, 2018 at 8:45 AM Nabarun Nag <n...@apache.org> wrote: > > >> > > >>> Following checks completed: > > >>> - checked signatures > > >>> - checked SHA's > > >>> - builds from source [geode] > > >>> - run gfsh - start locator, server - create region - do put and get - > > >>> execute OQL query > > >>> - examples run cleanly [geode-examples] > > >>> - the correct version in gfsh command version > > >>> > > >>> Questions: > > >>> 1. Is there a reason why geode-native is signed with SHA512 while all > > the > > >>> rest are signed with SHA256? > > >>> 2. Are there any directions / documentation on how to verify the > > >>> geode-native release components? > > >>> > > >>> > > >>> File Differences: > > >>> 1. Files KEYS and gradlew.bat are present in the github repo for > > >>> rel/v1.8.0.RC1 but not present in the source release > > >> apache-geode-1.8.0-src > > >>> 2. gradlew file differs in the rel/v1.8.0.RC1 repo and the source > > release > > >>> apache-geode-1.8.0-src. > > >>> > > >>> Apologies if these changes are expected. > > >>> > > >>> Regards > > >>> Nabarun Nag > > >>> > > >>> > > >>> > > >>> > > >>> On Fri, Nov 30, 2018 at 5:38 PM Alexander Murmann < > amurm...@pivotal.io > > > > > >>> wrote: > > >>> > > >>>> Hi everyone, > > >>>> > > >>>> Per above discussion the release now contains Geode Native. > > >>>> Here is the updated release information: > > >>>> > > >>>> Apache Geode: > > >>>> https://github.com/apache/geode/tree/rel/v1.8.0.RC1 > > >>>> Apache Geode examples: > > >>>> https://github.com/apache/geode-examples/tree/rel/v1.8.0.RC1 > > >>>> Apache Geode Native: > > >>>> https://github.com/apache/geode-native/tree/rel/v1.8.0.RC1 > > >>>> > > >>>> Commit IDs: > > >>>> Apache Geode: 671671b5e81acde2684df3331aedf176cc927e6e > > >>>> Apache Geode Examples: aee3794f1302ffab51b4ca5d02657598420b7a00 > > >>>> Apache Geode Native: 32d71d13087b5c1a36417693cf8da9a8819edbdf > > >>>> > > >>>> Source and binary files: > > >>>> https://dist.apache.org/repos/dist/dev/geode/1.8.0.RC1/ > > >>>> > > >>>> Maven staging repo: > > >>>> > > https://repository.apache.org/content/repositories/orgapachegeode-1048 > > >>>> > > >>>> Geode's KEYS file containing PGP keys we use to sign the release: > > >>>> https://github.com/apache/geode/blob/develop/KEYS > > >>>> > > >>>> Signed the release with fingerprint: > > >>>> rsa4096 2018-09-01 [SC] > > >>>> D5C5C950D61898EDE8928820D6048392BDFB7797 > > >>>> > > >>>> > > >>>> On Fri, Nov 30, 2018 at 9:44 AM Anthony Baker <aba...@pivotal.io> > > >> wrote: > > >>>> > > >>>>> Because this is confusing, let me clarify our current approach > again: > > >>>>> > > >>>>> When we do a release of the Geode Project, it will include all the > > >>>>> constituent pieces we deem appropriate regardless of the repo the > > >>> source > > >>>>> comes from. Currently this includes: > > >>>>> > > >>>>> - geode > > >>>>> - geode-examples > > >>>>> - geode-native > > >>>>> > > >>>>> Perhaps in the future, we would include geode-benchmarks. > > >>>>> > > >>>>> In order to create a distinct release with a separate lifecycle we > > >>> would > > >>>>> need to spawn a subproject with a separate PMC and a viable > > >> community. > > >>>>> > > >>>>> @Alexander, I don’t think you need to issue a new release > candidate. > > >>>> Just > > >>>>> add the geode-native source distribution and update the VOTE email. > > >>>>> > > >>>>> > > >>>>> Anthony > > >>>>> > > >>>>> > > >>>>>> On Nov 30, 2018, at 8:08 AM, Alexander Murmann < > > >> amurm...@pivotal.io> > > >>>>> wrote: > > >>>>>> > > >>>>>> Sorry, I was unaware that we were planning on releasing > > >> geode-native > > >>> as > > >>>>>> part of the same release and not as a separate release that goes > > >> out > > >>>> at a > > >>>>>> similar time. > > >>>>>> > > >>>>>> I am happy to work on a new candidate that includes geode-native. > > >>>>>> > > >>>>>> On Fri, Nov 30, 2018 at 6:39 AM Anthony Baker <aba...@pivotal.io> > > >>>> wrote: > > >>>>>> > > >>>>>>> Is there a reason the geode-native repo was not included in the > > >>>> release? > > >>>>>>> > > >>>>>>> Anthony > > >>>>>>> > > >>>>>>> > > >>>>>>>> On Nov 29, 2018, at 11:15 PM, Alexander Murmann < > > >>> amurm...@pivotal.io > > >>>>> > > >>>>>>> wrote: > > >>>>>>>> > > >>>>>>>> Hello Geode dev community! > > >>>>>>>> > > >>>>>>>> I am happy to announce the first release candidate for Apache > > >> Geode > > >>>>>>> 1.8.0! > > >>>>>>>> Thanks to all the community members for their contributions to > > >> this > > >>>>>>>> release! > > >>>>>>>> > > >>>>>>>> Please review and give your feedback! The deadline is the end of > > >>> day > > >>>>> Dec. > > >>>>>>>> 4th 2018. > > >>>>>>>> > > >>>>>>>> It resolves 162 issues on Apache Geode JIRA system. Release > notes > > >>> can > > >>>>> be > > >>>>>>>> found at: > > >>>>>>>> > > >>>>>>> > > >>>>> > > >>>> > > >>> > > >> > > > https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.8.0 > > >>>>>>>> > > >>>>>>>> Please note that we are voting upon the source tags: > > >> rel/v1.8.0.RC1 > > >>>>>>>> Apache Geode: > > >>>>>>>> https://github.com/apache/geode/tree/rel/v1.8.0.RC1 > > >>>>>>>> Apache Geode examples: > > >>>>>>>> https://github.com/apache/geode-examples/tree/rel/v1.8.0.RC1 > > >>>>>>>> > > >>>>>>>> Commit IDs: > > >>>>>>>> Apache Geode: 671671b5e81acde2684df3331aedf176cc927e6e > > >>>>>>>> Apache Geode Examples: aee3794f1302ffab51b4ca5d02657598420b7a00 > > >>>>>>>> > > >>>>>>>> Source and binary files: > > >>>>>>>> https://dist.apache.org/repos/dist/dev/geode/1.8.0.RC1/ > > >>>>>>>> > > >>>>>>>> Maven staging repo: > > >>>>>>>> > > >>>> > > https://repository.apache.org/content/repositories/orgapachegeode-1048 > > >>>>>>>> > > >>>>>>>> Geode's KEYS file containing PGP keys we use to sign the > release: > > >>>>>>>> https://github.com/apache/geode/blob/develop/KEYS > > >>>>>>>> > > >>>>>>>> Signed the release with fingerprint: > > >>>>>>>> rsa4096 2018-09-01 [SC] > > >>>>>>>> D5C5C950D61898EDE8928820D6048392BDFB7797 > > >>>>>>>> > > >>>>>>>> PS: Command to run geode-examples: ./gradlew -PgeodeReleaseUrl= > > >>>>>>>> https://dist.apache.org/repos/dist/dev/geode/1.8.0.RC1 > > >>>>>>> -PgeodeRepositoryUrl= > > >>>>>>>> > > >>>> > > https://repository.apache.org/content/repositories/orgapachegeode-1048 > > >>>>>>>> build runAll > > >>>>>>>> > > >>>>>>>> Thank you! > > >>>>>>>> Alexander > > >>>>>>> > > >>>>>>> > > >>>>> > > >>>>> > > >>>> > > >>> > > >> > > > > >
