Thanks for notifying the list Tim. Looks like a serious bug and a release blocker.
Once you fix it in the master, can you please cherry-pick it to "branch-2.10.0", so that I can work on creating RC2. On Mon, Aug 28, 2017 at 5:51 PM, Tim Armstrong <[email protected]> wrote: > Matt Mulder just found a fairly nasty bug in RC1: > https://issues.apache.org/jira/browse/IMPALA-5855 . It seems like we > should > probably generate a new RC once that is fixed. > > On Mon, Aug 28, 2017 at 11:46 AM, Bharath Vissapragada < > [email protected]> wrote: > > > Thanks Todd for the quick help. I read more about it and I found this > link > > [1] interesting. So, looks like we need to grow our "web of trust" and > one > > way I think is to trust the keys of RMs in the KEYS file, especially > given > > they have write permission to the directory and could update that file. > As > > per the link I mentioned, this doesn't look like a standard Apache > > practice, but I don't see any other way (please correct me if I'm wrong). > > > > [1] https://mirror-vm.apache.org/~henkp/trust/ > > > > On Mon, Aug 28, 2017 at 11:14 AM, Todd Lipcon <[email protected]> wrote: > > > > > Hey Bharath, > > > > > > Take a look at https://www.apache.org/dev/release-signing.html#web-of- > > > trust -- it has some info on the GPG "web of trust". Basically, you > need > > > to either directly trust Jim's key 6850196C, or you need to trust > someone > > > who trusts him, etc. If you haven't yourself signed or trusted anyone's > > > keys, then no one's signature will be considered trusted for you. > > > > > > Typically projects also publish a KEYS file in their distribution > > > directory which would be able to verify that the signing key at least > > > matches the one that was uploaded via ASF infrastructure. > > > > > > -Todd > > > > > > On Mon, Aug 28, 2017 at 11:09 AM, Bharath Vissapragada < > > > [email protected]> wrote: > > > > > >> + mentors > > >> > > >> Thanks for testing the release Matt. I ran into the same issue while > > >> testing it myself. So I double checked older releases 2.9.0 and 2.8.0 > > and I > > >> saw the same behavior. > > >> > > >> gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc > > >> apache-impala-incubating-2.9.0.tar.gz > > >> gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID > > >> 9522D0F3 > > >> gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) < > > >> [email protected]>" > > >> gpg: WARNING: This key is not certified with a trusted signature! > > >> gpg: There is no indication that the signature belongs to the > > >> owner. > > >> Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421 EEA9 8F3F 86FA 9522 > > >> D0F3 > > >> > > >> gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc > > >> apache-impala-incubating-2.8.0.tar.gz > > >> gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID > > >> 6850196C > > >> gpg: Good signature from "Jim Apple (CODE SIGNING KEY) < > > >> [email protected]>" > > >> gpg: WARNING: This key is not certified with a trusted signature! > > >> gpg: There is no indication that the signature belongs to the > > >> owner. > > >> Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E 4601 91EE 4306 6850 > > >> 196C > > >> > > >> I tried to dig into it and this looks like a pretty common problem > [1]. > > >> But, I'm not totally sure about the standard practices to make a key > > >> trusted. Does anyone else in the community knows what are the best > > >> practices around this and how it works with other Apache projects? > > >> > > >> [1] https://serverfault.com/questions/569911/how-to-verify- > > >> an-imported-gpg-key > > >> > > >> > > >> On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <[email protected]> > > wrote: > > >> > > >>> Bharath, is your key set up correctly? > > >>> > > >>> Running the script on > > >>> https://cwiki.apache.org/confluence/display/IMPALA/How+to+Re > > >>> lease#HowtoRelease-HowtoVoteonaReleaseCandidate > > >>> resulted in this warning indicating that your signature is not > > >>> trusted: > > >>> > > >>> gpg: WARNING: This key is not certified with a trusted signature! > > >>> gpg: There is no indication that the signature belongs to > the > > >>> owner. > > >>> > > >>> Maybe someone who has RM'd before can comment on this. > > >>> > > >>> > > >>> ... > > >>> gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY) > > >>> <[email protected]>" imported > > >>> gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY) > > >>> <[email protected]>" imported > > >>> gpg: key 64DAB27C: public key "Bharath Vissapragada > > >>> <[email protected]>" imported > > >>> gpg: Total number processed: 3 > > >>> gpg: imported: 3 (RSA: 3) > > >>> gpg: no ultimately trusted keys found > > >>> + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' > for > > >>> '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then > > >>> '\''q'\'' for '\''quit'\''' > > >>> If in an interactive shell, At the prompt, enter '5' for 'I trust > > >>> ultimately', then 'y' for 'yes', then 'q' for 'quit' > > >>> + [[ ehuxB == *i* ]] > > >>> + echo 'Download the release artifacts:' > > >>> Download the release artifacts: > > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > > >>> + wget -q https://dist.apache.org/repos/ > dist/dev/incubator/impala/2.10 > > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz > > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > > >>> + wget -q https://dist.apache.org/repos/ > dist/dev/incubator/impala/2.10 > > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc > > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > > >>> + wget -q https://dist.apache.org/repos/ > dist/dev/incubator/impala/2.10 > > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5 > > >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > > >>> + wget -q https://dist.apache.org/repos/ > dist/dev/incubator/impala/2.10 > > >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512 > > >>> + echo 'Check the checksums:' > > >>> Check the checksums: > > >>> + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5 > > >>> apache-impala-incubating-2.10.0.tar.gz: OK > > >>> + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512 > > >>> apache-impala-incubating-2.10.0.tar.gz: OK > > >>> + echo 'Check the signature:' > > >>> Check the signature: > > >>> + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc > > >>> apache-impala-incubating-2.10.0.tar.gz > > >>> gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID > > >>> 64DAB27C > > >>> gpg: Good signature from "Bharath Vissapragada <[email protected] > >" > > >>> gpg: WARNING: This key is not certified with a trusted signature! > > >>> gpg: There is no indication that the signature belongs to > the > > >>> owner. > > >>> > > >>> On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada > > >>> <[email protected]> wrote: > > >>> > This is a vote to release Impala 2.10.0. > > >>> > > > >>> > - The artefacts for testing can be downloaded from < > > >>> > https://dist.apache.org/repos/dist/dev/incubator/impala/2. > 10.0/RC1/ > > >. > > >>> > > > >>> > - The git tag for this release candidate is 2.10.0-rc1 and tree > hash > > is > > >>> > visible at > > >>> > < > > >>> > https://git-wip-us.apache.org/repos/asf?p=incubator-impala.g > > >>> it;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef > > >>> >> > > >>> > > > >>> > Please vote +1 or -1. -1 votes should be accompanied by an > > explanation > > >>> of > > >>> > the reason. Only PPMC members and mentors have binding votes, but > > other > > >>> > community members are encouraged to cast non-binding votes. This > vote > > >>> will > > >>> > pass if there are 3 binding +1 votes and more binding +1 votes than > > -1 > > >>> > votes. > > >>> > > > >>> > This wiki page describes how to check the release before you vote: > > >>> > *https://cwiki.apache.org/confluence/display/IMPALA/How+to+R > > >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate > > >>> > <https://cwiki.apache.org/confluence/display/IMPALA/How+to+R > > >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate>* > > >>> > > > >>> > The vote will be open until the end of Wednesday, August 30, > Pacific > > >>> time > > >>> > zone (UTC-08:00). > > >>> > Once the vote passes the Impala PPMC vote, it still must pass the > > >>> incubator > > >>> > PMC vote before a release is made. > > >>> > > >> > > >> > > > > > > > > > -- > > > Todd Lipcon > > > Software Engineer, Cloudera > > > > > >
