Cos, I’ll highly appreciate if you double-check that RC4 is clean and no longer have any issues revealed by you: http://apache-ignite-developers.2346864.n4.nabble.com/VOTE-Apache-Ignite-2-1-0-RC4-td19969.html <http://apache-ignite-developers.2346864.n4.nabble.com/VOTE-Apache-Ignite-2-1-0-RC4-td19969.html>
— Denis > On Jul 24, 2017, at 11:04 AM, Konstantin Boudnik <c...@apache.org> wrote: > > Got it. Thank you for the understanding and readiness to deal with the > finding - that might not look like a big issues for us, but could > alert some of the users. I will be happy to jump on another > verification cycle as soon as it is available. Please let me know if I > can help with anything. > > With best regards, > Cos > -- > With regards, > Konstantin (Cos) Boudnik > 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622 > > Disclaimer: Opinions expressed in this email are those of the author, > and do not necessarily represent the views of any company the author > might be affiliated with at the moment of writing. > > > On Mon, Jul 24, 2017 at 10:46 AM, Denis Magda <dma...@apache.org> wrote: >> Hi Cos, >> >>> Which tells me that the private key is simply shared by a number of the >>> committers. And there's no guarantee that it hasn't been leaked outside of >>> the group. And that's pretty serious security flaw, actually. >> >> That’s not the case. Sam signed and did final technical steps preparing the >> RC3. I took care of other formalities. >> >> Personally, did expect this to be an issue. Agree, let’s fix the process >> making sure the release manager signs bundles all the times. >> >>> - why every other RC Vote is started by a different person? >> >> >> Summer time, vacations, day offs… >> >> — >> Denis >> >>> On Jul 22, 2017, at 1:26 PM, Konstantin Boudnik <c...@apache.org> wrote: >>> >>> Retracting this, found the KEYS (douh...). Still >>> >>> -1 (binding). The release isn't signed by the release manager. Someone else >>> key is used. >>> >>> - Checked the sha1 >>> - Successfully ran the build >>> - Checked the signature >>> - The archive is signed by the key 593A743B belonging to sboi...@apache.org. >>> However, none of the 2.1.0 RC [VOTE] attempts were started by this person. >>> Which tells me that the private key is simply shared by a number of the >>> committers. And there's no guarantee that it hasn't been leaked outside of >>> the group. And that's pretty serious security flaw, actually. >>> >>> Why the release managers aren't using their own keys? It is easy to generate >>> and sign the keys following guidelines [1]. Committers' keys are easy to >>> validate against the Apache repository [2] >>> >>> Things that need to be improved in the next release: >>> - neither sha1 nor md5 are trustful checksum'ing methods and aren't >>> guaranteeing the authenticity of the source archive. We should be switching >>> to at least sha265 or higher. This has been brought up since the incubation. >>> And warrants for -1 in the next release. >>> - why every other RC Vote is started by a different person? >>> >>> With regards, >>> Cos >>> >>> [1] https://people.apache.org/keys/committer/ >>> [2] >>> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys >>> >>> On Sat, Jul 22, 2017 at 01:00PM, Konstantin Boudnik wrote: >>>> Am I missing the location of the signing keys? I cannot verivy the >>>> signature >>>> of the archive. >>>> >>>> -1 (binding) until then. >>>> >>>> Thanks >>>> Cos >>>> >>>> On Thu, Jul 20, 2017 at 03:34PM, Denis Magda wrote: >>>>> Igniters, >>>>> >>>>> Setting off the vote one more time. Hope I’ll be successful this time, >>>>> keeping fingers crossed :) >>>>> >>>>> We have uploaded a 2.1.0 release candidate to >>>>> https://dist.apache.org/repos/dist/dev/ignite/2.1.0-rc3/ >>>>> >>>>> Git tag name is >>>>> 2.1.0-rc3 >>>>> >>>>> This release includes the following changes: >>>>> >>>>> Ignite: >>>>> * Persistent cache store >>>>> * Added IgniteFuture.listenAsync() and IgniteFuture.chainAsync() mehtods >>>>> * Deprecated IgniteConfiguration.marshaller >>>>> * Updated Lucene dependency to version 5.5.2 >>>>> * Machine learning: implemented K-means clusterization algorithm optimized >>>>> for distributed storages >>>>> * SQL: CREATE TABLE and DROP TABLE commands support >>>>> * SQL: New thin JDBC driver >>>>> * SQL: Improved performance of certain queries, when affinity node can be >>>>> calculated in advance >>>>> * SQL: Fixed return type of AVG() function >>>>> * SQL: BLOB type support added to thick JDBC driver >>>>> * SQL: Improved LocalDate, LocalTime and LocalDateTime support for Java 8 >>>>> * SQL: Added FieldsQueryCursor interface to get fields metadata for >>>>> SqlFieldsQuery >>>>> * ODBC: Implemented DML statement batching >>>>> * Massive performance and stability improvements >>>>> >>>>> Ignite.NET: >>>>> * Automatic remote assembly loading >>>>> * NuGet-based standalone node deployment >>>>> * Added conditional data removeal via LINQ DeleteAll >>>>> * Added TimestampAttribute to control DateTime serialization mode >>>>> * Added local collections joins support to LINQ. >>>>> >>>>> Ignite CPP: >>>>> * Added Compute::Call and Compute::Broadcast methods >>>>> >>>>> Web Console: >>>>> * Implemented support for UNIQUE indexes for key fields on import model >>>>> from RDBMS >>>>> * Added option to show full stack trace on Queries screen >>>>> * Added PK alias generation on Models screen. >>>>> >>>>> Complete list of closed issues: >>>>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND% >>>>> 20fixVersion%20%3D%202.1%20AND%20(status%20%3D%20closed%20or%20status%20%3D% >>>>> 20resolved) >>>>> >>>>> DEVNOTES >>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=DEVNOTES.txt;hb=refs/tags/2.1.0-rc3 >>>>> >>>>> RELEASE NOTES >>>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=RELEASE_NOTES.txt;hb=refs/tags/2.1.0-rc3 >>>>> >>>>> Please start voting. >>>>> >>>>> +1 - to accept Apache Ignite 2.1.0-rc3 >>>>> 0 - don't care either way >>>>> -1 - DO NOT accept Apache Ignite 2.1.0-rc3 (explain why) >>>>> >>>>> This vote will go for 72 hours. >>>>> >>>>> — >>>>> Denis >>>>> >>> >>> >>