Hi,
> Xiangdong: But I wonder even all committers having signed PGP keys, how to > use that in the release verification stage? Hope these two links [1][2] helpful. From my understanding, checking signatures include two steps. The first step is to verify the connection of the file and the key. The second step is to verify the connection of the key and the real person. The second step is where the "trust path" comes into play - either I signed the key or someone I trusted signed the key. > Chris: Would be great if the web-of trust could be extended to IoTDB RMs ... +1. I realize I haven't performed the second step yet. [1] https://www.apache.org/info/verification.html#CheckingSignatures [2] https://gnupg.org/download/integrity_check.html Regards, Lei Rui On 6/23/2020 23:24,Xiangdong Huang<[email protected]> wrote: Hi Chris, I personally would be a little hesitant to do it remotely ;-) Well, I agree to doing that face to face in a physical meeting, but it is a little hard in the current COVID-19 situation... (so we can postpone that.) But I wonder even all committers having signed PGP keys, how to use that in the release verification stage? Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 Christofer Dutz <[email protected]> 于2020年6月23日周二 下午11:14写道: Hi Xiangdong, well usually a key-signging is usually a physical meeting where you go with your passport to be 100% sure you're talking to the right person and signing the right person's key. I personally would be a little hesitant to do it remotely ;-) https://www.youtube.com/watch?v=dJJLqXVpVGY If you folks meet in person, there should be no problem. However it would only be useful, if there is some link to other Apache folks (Some of you have keys signed by other Apache folks) Chris Am 23.06.20, 17:04 schrieb "Xiangdong Huang" <[email protected]>: Hi all, Thank all of you to attend the vote (maybe this is the first time that we receive more than 15 votes). It is due to all of our mentors (and IPMCs) keep to appealing for more PPMCs joining it. It is also due to all active contributors in the community. By the way, I notice that Chris gives the advise (I know Chris just finished a milestone of PLC4x and then immediately began to verify IoTDB's release): Would be great if the web-of trust could be extended to IoTDB RMs ... As I know most of these guys, I can sign their pgp key, but how to use their pgp key in the releasing verification stage? Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 Xiangdong Huang <[email protected]> 于2020年6月22日周一 下午4:30写道: Hi, We have received 3 PPMC votes. Will there be more PPMCs voting on this? Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 Xiangdong Huang <[email protected]> 于2020年6月19日周五 下午9:40写道: Hi, The binary NOTICE is very likely to be missing content from other Apache licensed NOTICE files. Are there some more hints for this? Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 Xiangdong Huang <[email protected]> 于2020年6月17日周三 下午8:08写道: Hi all, We can discuss the issue of releasing v0.10.0 RC4 here. This is the 4th release candidate of v0.10.0, I send the vote mail after a 6 hours cooling-off period after uploading the files to the dev SVN repo... I hope this RC has no issues anymore... Of course, if there is -1, I will release RC5 :) Best, ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院
