Matt Mulder just found a fairly nasty bug in RC1: https://issues.apache.org/jira/browse/IMPALA-5855 . It seems like we should probably generate a new RC once that is fixed.
On Mon, Aug 28, 2017 at 11:46 AM, Bharath Vissapragada < [email protected]> wrote: > Thanks Todd for the quick help. I read more about it and I found this link > [1] interesting. So, looks like we need to grow our "web of trust" and one > way I think is to trust the keys of RMs in the KEYS file, especially given > they have write permission to the directory and could update that file. As > per the link I mentioned, this doesn't look like a standard Apache > practice, but I don't see any other way (please correct me if I'm wrong). > > [1] https://mirror-vm.apache.org/~henkp/trust/ > > On Mon, Aug 28, 2017 at 11:14 AM, Todd Lipcon <[email protected]> wrote: > > > Hey Bharath, > > > > Take a look at https://www.apache.org/dev/release-signing.html#web-of- > > trust -- it has some info on the GPG "web of trust". Basically, you need > > to either directly trust Jim's key 6850196C, or you need to trust someone > > who trusts him, etc. If you haven't yourself signed or trusted anyone's > > keys, then no one's signature will be considered trusted for you. > > > > Typically projects also publish a KEYS file in their distribution > > directory which would be able to verify that the signing key at least > > matches the one that was uploaded via ASF infrastructure. > > > > -Todd > > > > On Mon, Aug 28, 2017 at 11:09 AM, Bharath Vissapragada < > > [email protected]> wrote: > > > >> + mentors > >> > >> Thanks for testing the release Matt. I ran into the same issue while > >> testing it myself. So I double checked older releases 2.9.0 and 2.8.0 > and I > >> saw the same behavior. > >> > >> gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc > >> apache-impala-incubating-2.9.0.tar.gz > >> gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID > >> 9522D0F3 > >> gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) < > >> [email protected]>" > >> gpg: WARNING: This key is not certified with a trusted signature! > >> gpg: There is no indication that the signature belongs to the > >> owner. > >> Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421 EEA9 8F3F 86FA 9522 > >> D0F3 > >> > >> gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc > >> apache-impala-incubating-2.8.0.tar.gz > >> gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID > >> 6850196C > >> gpg: Good signature from "Jim Apple (CODE SIGNING KEY) < > >> [email protected]>" > >> gpg: WARNING: This key is not certified with a trusted signature! > >> gpg: There is no indication that the signature belongs to the > >> owner. > >> Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E 4601 91EE 4306 6850 > >> 196C > >> > >> I tried to dig into it and this looks like a pretty common problem [1]. > >> But, I'm not totally sure about the standard practices to make a key > >> trusted. Does anyone else in the community knows what are the best > >> practices around this and how it works with other Apache projects? > >> > >> [1] https://serverfault.com/questions/569911/how-to-verify- > >> an-imported-gpg-key > >> > >> > >> On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <[email protected]> > wrote: > >> > >>> Bharath, is your key set up correctly? > >>> > >>> Running the script on > >>> https://cwiki.apache.org/confluence/display/IMPALA/How+to+Re > >>> lease#HowtoRelease-HowtoVoteonaReleaseCandidate > >>> resulted in this warning indicating that your signature is not > >>> trusted: > >>> > >>> gpg: WARNING: This key is not certified with a trusted signature! > >>> gpg: There is no indication that the signature belongs to the > >>> owner. > >>> > >>> Maybe someone who has RM'd before can comment on this. > >>> > >>> > >>> ... > >>> gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY) > >>> <[email protected]>" imported > >>> gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY) > >>> <[email protected]>" imported > >>> gpg: key 64DAB27C: public key "Bharath Vissapragada > >>> <[email protected]>" imported > >>> gpg: Total number processed: 3 > >>> gpg: imported: 3 (RSA: 3) > >>> gpg: no ultimately trusted keys found > >>> + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' for > >>> '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then > >>> '\''q'\'' for '\''quit'\''' > >>> If in an interactive shell, At the prompt, enter '5' for 'I trust > >>> ultimately', then 'y' for 'yes', then 'q' for 'quit' > >>> + [[ ehuxB == *i* ]] > >>> + echo 'Download the release artifacts:' > >>> Download the release artifacts: > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5 > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512 > >>> + echo 'Check the checksums:' > >>> Check the checksums: > >>> + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5 > >>> apache-impala-incubating-2.10.0.tar.gz: OK > >>> + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512 > >>> apache-impala-incubating-2.10.0.tar.gz: OK > >>> + echo 'Check the signature:' > >>> Check the signature: > >>> + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc > >>> apache-impala-incubating-2.10.0.tar.gz > >>> gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID > >>> 64DAB27C > >>> gpg: Good signature from "Bharath Vissapragada <[email protected]>" > >>> gpg: WARNING: This key is not certified with a trusted signature! > >>> gpg: There is no indication that the signature belongs to the > >>> owner. > >>> > >>> On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada > >>> <[email protected]> wrote: > >>> > This is a vote to release Impala 2.10.0. > >>> > > >>> > - The artefacts for testing can be downloaded from < > >>> > https://dist.apache.org/repos/dist/dev/incubator/impala/2.10.0/RC1/ > >. > >>> > > >>> > - The git tag for this release candidate is 2.10.0-rc1 and tree hash > is > >>> > visible at > >>> > < > >>> > https://git-wip-us.apache.org/repos/asf?p=incubator-impala.g > >>> it;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef > >>> >> > >>> > > >>> > Please vote +1 or -1. -1 votes should be accompanied by an > explanation > >>> of > >>> > the reason. Only PPMC members and mentors have binding votes, but > other > >>> > community members are encouraged to cast non-binding votes. This vote > >>> will > >>> > pass if there are 3 binding +1 votes and more binding +1 votes than > -1 > >>> > votes. > >>> > > >>> > This wiki page describes how to check the release before you vote: > >>> > *https://cwiki.apache.org/confluence/display/IMPALA/How+to+R > >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate > >>> > <https://cwiki.apache.org/confluence/display/IMPALA/How+to+R > >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate>* > >>> > > >>> > The vote will be open until the end of Wednesday, August 30, Pacific > >>> time > >>> > zone (UTC-08:00). > >>> > Once the vote passes the Impala PPMC vote, it still must pass the > >>> incubator > >>> > PMC vote before a release is made. > >>> > >> > >> > > > > > > -- > > Todd Lipcon > > Software Engineer, Cloudera > > >
