For all those who haven't seen this before, GPG key signing is a very "early hacker" sort of thing. The idea is the only way to trust a signature is to have it signed by someone that you also trust. This builds a network of trust so you could essentially do something like say I trust that key X is Russell and therefore trust that Key Y signed by Key X is also trusted to be whoever they say they are because you trust Russell and his key. I don't think folks do this all that often any more but never fear, our current process is not "completely" anonymous.
When you download the KEYS file from SVN you are downloading what is essentially a list of Public Keys and Identities that is updated only by folks with valid Apache SVN credentials so there is a bit of security there. All of that to say, yes that key is mine and if you trust that this email comes from me, you can trust that key is also me. If you don't trust this email ... send me a message and I can 1 on 1 verify with you on video (although with AI who knows) that I am Russell and that is my key. I'll be in SF in person next week for Snowflake Summit if anyone wants in person validation :) On Tue, May 27, 2025 at 10:38 AM Kevin Liu <kevinjq...@apache.org> wrote: > +1 (non-binding) > > - Verified signature, checksum, license. > * Build + test passed using Java 17 on M1 > * Ran a few examples on Spark > * Ran pyiceberg integration tests > > Best, > Kevin Liu > > On Tue, May 27, 2025 at 7:59 AM karuppayya <karuppayya1...@gmail.com> > wrote: > >> When verifying >> <https://iceberg.apache.org/how-to-release/#verifying-signatures> >> signatures. I got a warning. Am I missing something with the gpg >> configuration? >> >> gpg: assuming signed data in 'apache-iceberg-1.9.1.tar.gz' >> gpg: Signature made Wed May 21 15:19:17 2025 PDT >> gpg: using RSA key xxx >> gpg: Good signature from "Russell Spitzer (CODE SIGNING KEY) >> <russellspit...@apache.org>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: x >> >> >> Verified checksums, local build and ran basic tests on Spark 3.5. >> >> If the warning is ok to ignore, >> +1 (non-binding) >> >> - Karuppayya >> >> >> >> >> On Tue, May 27, 2025 at 7:29 AM Jean-Baptiste Onofré <j...@nanthrax.net> >> wrote: >> >>> +1 (non binding) >>> >>> I checked: >>> * source distribution >>> ** checksum and signature are good >>> ** LICENSE and NOTICE look good >>> ** No binary file found in the source distribution >>> ** Header looks good in files >>> ** Build works from the source distribution >>> ** Tested with Spark and Polaris >>> * in the bundled jar files: >>> ** aws-bundle jar contains correct LICENSE/NOTICE >>> ** azure-bundle jar contains LICENSE/NOTICE, nit: Azure MIT license >>> content should be part of the LICENSE (inline). I will fix that. >>> ** gcp-bundle jar contains LICENSE/NOTICE, nit: Google BSD 3-Clause >>> license content should be part of the LICENSE (inline), and some >>> dependencies have dual licenses, only one should be "selected" in >>> Iceberg (exclusive). I will fix that. >>> ** kafka-runtime (main and hive) contains LICENSE/NOTICE, nit: same >>> issue as in azure-bundle and gcp-bundle about exclusive license and >>> MIT/BSD license content >>> >>> Regards >>> JB >>> >>> On Thu, May 22, 2025 at 1:19 AM Russell Spitzer >>> <russell.spit...@gmail.com> wrote: >>> > >>> > Hi Y'all, >>> > >>> > I propose that we release the following RC as the official Apache >>> Iceberg 1.9.1 release. >>> > >>> > The commit ID is f40208ae6fb2f33e578c2637d3dea1db18739f31 >>> > * This corresponds to the tag: apache-iceberg-1.9.1-rc1 >>> > * https://github.com/apache/iceberg/commits/apache-iceberg-1.9.1-rc1 >>> > * >>> https://github.com/apache/iceberg/tree/f40208ae6fb2f33e578c2637d3dea1db18739f31 >>> > >>> > The release tarball, signature, and checksums are here: >>> > * >>> https://dist.apache.org/repos/dist/dev/iceberg/apache-iceberg-1.9.1-rc1 >>> > >>> > You can find the KEYS file here: >>> > * https://downloads.apache.org/iceberg/KEYS >>> > >>> > Convenience binary artifacts are staged on Nexus. The Maven repository >>> URL is: >>> > * >>> https://repository.apache.org/content/repositories/orgapacheiceberg-1202/ >>> > >>> > Please download, verify, and test. >>> > >>> > Please vote in the next 72 hours. >>> > >>> > [ ] +1 Release this as Apache Iceberg 1.9.1 >>> > [ ] +0 >>> > [ ] -1 Do not release this because... >>> > >>> > Only PMC members have binding votes, but other community members are >>> encouraged to cast >>> > non-binding votes. This vote will pass if there are 3 binding +1 votes >>> and more binding >>> > +1 votes than -1 votes. >>> > >>> > --- >>> > >>> > For those watching the big change between this and RC0 was the >>> reversion of code which >>> > caused the rest client to emit multiple Snapshot Removals Requests in >>> the same MetadataUpdate. >>> > This restores the behavior to that of 1.8.X, 1 removal per update. >>> > We plan to move to the new behavior in a later release >>> >>
