I am going to vote +1 (binding) on this release. Although it does need to be signed I am comfortable with either Matt or myself signing it before it is uploaded as Davyd’s signing key isn’t going to be signed by anyone if he has never had a key before. One of us is going to have to publish this for him anyway.
Ralph > On Aug 2, 2020, at 12:31 PM, Matt Sicker <boa...@gmail.com> wrote: > > So far it looks good (though I'm not a .net developer, so I can't > speak from that side). There's one more thing we need from this to > make it a proper release. You'll need to add a GPG signature for the > artifacts as well. We'll need to import your signing key to > https://downloads.apache.org/logging/KEYS for users to verify the > release is genuine. Please email me a copy of your public key for that > so I can sign and add it to our KEYS file. This key should be an RSA > 4096-bit GPG key, and it should also be uploaded to a public keyserver > like https://sks-keyservers.net/ > > For signing the files, add a detached ascii signature file (.asc) for > the distributable files. As a bonus, you can also sign the git tag you > created with the same key, but that's not required. > > On Fri, 31 Jul 2020 at 01:28, Davyd McColl <dav...@gmail.com> wrote: >> >> Apologies if there's any confusion around sender address -- I've already >> fluffed this by sending from my work account (default in my mail client) >> >> -d >> >> On 2020/07/31 08:26:54, Davyd McColl <davyd.mcc...@codeo.co.za> wrote: >> Hi all, I've never done this before, so bear with me if I fluff it: >> >> This is a proposed vote to release log4net 2.0.9 from PR >> https://github.com/apache/logging-log4net/pull/61 >> >> Release artifacts (including source zip) are at: >> https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts >> Source can be checked out from >> https://github.com/fluffynuts/logging-log4net/logging-log4net, tag >> rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the >> same commit as the last in the PR mentioned above, which was accepted into >> master a few days ago. >> >> Please check out the artifacts & if everyone is ok with what's there, please >> can someone with the rights to publish to nuget do so. >> >> Once I've seen how this process works, I'd like to tackle the CVE that has >> been brought up on this list more than once -- it's a simple change which >> was already committed to the develop branch some time ago, so there are a >> couple of options here: >> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that >> change >> 2. trawl the develop branch to see what else was already solved in there, >> and get that out as 2.0.10, and perhaps close out that branch to avoid >> future confusion. >> >> Thanks for your time >> -d > > > > -- > Matt Sicker <boa...@gmail.com> >
