Hi all I'd appreciate any more +1's (thanks, Remko!). I'd like to get this out the door because it fixes confusing versioning on the released binaries (in particular, nuget consumers)
Thanks -d On 2020/09/20 22:33:49, Matt Sicker <boa...@gmail.com> wrote: I can use whatever. On Sun, 20 Sep 2020 at 15:26, Ralph Goers wrote: > > I don’t have google meet and I can’t use Skype since Microsoft hosed my > authentication. I have zoom. My company uses Amazon Chime, which is fairly > new, as part of our product offering. I’ve sent you both emails for a meeting > using that. > > Ralph > > > On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: > > > > I sent a Google Meet invite to you. > > > > On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: > >> > >> I'm happy to be available at 8am my side, if that works for everyone else. > >> It sounds like earlier would be better, but I'm doing the morning school > >> run from 7am and can't guarantee I'll be back significantly before 8am. > >> > >> How to do this? I have zoom and slack on my work machine, can install > >> Skype if that's more convenient, can do google meet, I assume, though > >> haven't ever tried, so may need a bit of a crash intro. > >> > >> If posting meeting details to the mailing list is not on, feel free to > >> email me directly (: > >> > >> -d > >> > >> > >> On September 20, 2020 20:58:29 Ralph Goers wrote: > >> > >>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. > >>> However, I frequently am up until midnight so that could work. 5-5:30 pm > >>> is > >>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a > >>> weekday > >>> until 8 am but on occasion I can do earlier. > >>> > >>> Ralph > >>> > >>>> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > >>>> > >>>> Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my > >>>> son from school) > >>>> > >>>> -d > >>>> > >>>> > >>>> On September 20, 2020 18:44:19 Matt Sicker wrote: > >>>> > >>>>> We’re not quite as strict as Debian for keys (though if you can find a > >>>>> Debian group locally, they’re great for key signing). The video call > >>>>> idea > >>>>> could work for exchanging keys. What times would you be available to do > >>>>> that? > >>>>> > >>>>> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > >>>>> > >>>>>> Hi Ralph > >>>>>> > >>>>>> > >>>>>> > >>>>>> I think I miscommunicated: I'm not regenerating my signing key - just > >>>>>> the > >>>>>> > >>>>>> nuget API key for package upload. This forces me to log in in nuget.org > >>>>>> > >>>>>> which has 2fa and then I only use that key on the cli for the immediate > >>>>>> upload. > >>>>>> > >>>>>> > >>>>>> > >>>>>> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > >>>>>> used > >>>>>> > >>>>>> last time. > >>>>>> > >>>>>> > >>>>>> > >>>>>> -d > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On September 20, 2020 09:01:36 Ralph Goers > >>>>>> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> In the long run you don’t want to be regenerating your signing key for > >>>>>> > >>>>>>> every release. The point is that you would upload the key to a central > >>>>>> > >>>>>>> keystore and other people would sign it there. At ApacheCon we would > >>>>>> have a > >>>>>> > >>>>>>> key signing “party” where we recorded each others keys and then would > >>>>>> take > >>>>>> > >>>>>>> our list and update the central keystore. When people verify the key > >>>>>> they > >>>>>> > >>>>>>> can look at the keystore and see that it is signed by a number of > >>>>>> people, > >>>>>> > >>>>>>> who then have their keys by a number of people and so on so you are > >>>>>> > >>>>>>> building a web of trust. Sooner or later there will be someone in that > >>>>>> web > >>>>>> > >>>>>>> that you personally know and trust. > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> Ralph > >>>>>> > >>>>>>> > >>>>>> > >>>>>>>> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> Thanks Matt, I've updated the artifacts on GitHub to have detached > >>>>>> > >>>>>>>> signatures. I had previously also uploaded my key to > >>>>>>>> sks-keyservers.net, > >>>>>> > >>>>>> > >>>>>>>> but I've also uploaded to MIT, though search there always times out. > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> The document you've linked mentions face-to-face interactions to get > >>>>>>>> my > >>>>>> key > >>>>>> > >>>>>>>> into the official KEYS file. Not sure how many apache people are at > >>>>>>>> my > >>>>>> end > >>>>>> > >>>>>>>> of the world (Durban, South Africa), but I can do an online meeting > >>>>>>>> if > >>>>>> that > >>>>>> > >>>>>>>> helps. Last release, Ralph said I should sign, so I did. I'm new to > >>>>>> signing > >>>>>> > >>>>>>>> release artifacts - I've generally relied on authentication during > >>>>>> upload > >>>>>> > >>>>>>>> as verification of authenticity, with 2FA wherever possible (GitHub > >>>>>>>> and > >>>>>> > >>>>>>>> NPM; nuget survives with an apikey - but for the last 2 releases, > >>>>>>>> I've > >>>>>> > >>>>>>>> regenerated the key on each use and only supplied it on the cli at > >>>>>> upload, > >>>>>> > >>>>>>>> so as not to store it locally) > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> -d > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>> On September 19, 2020 22:23:41 Matt Sicker wrote: > >>>>>> > >>>>>>>> > >>>>>> > >>>>>>>>> Oh and there's a bit of an issue with the signed files: it looks > >>>>>>>>> like > >>>>>> > >>>>>>>>> you included _signed files_ rather than detached signatures. Thus, > >>>>>>>>> the > >>>>>> > >>>>>>>>> .asc files are only verifying themselves rather than the > >>>>>>>>> accompanying > >>>>>> > >>>>>>>>> file. > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> There's a --detached option in gpg for this (yeah, it's always had a > >>>>>> bad UI). > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> The KEYS file [1] that's linked on the download page does not have > >>>>>> > >>>>>>>>>> your key in it. Neither does other KEYS file [2]. Check out [3] for > >>>>>> > >>>>>>>>>> more info. > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> [1]: https://downloads.apache.org/logging/log4net/KEYS > >>>>>> > >>>>>>>>>> [2]: https://downloads.apache.org/logging/KEYS > >>>>>> > >>>>>>>>>> [3]: https://infra.apache.org/release-signing.html#keys-policy > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> Thanks Matt, I've done so. Hopefully that makes it easier to > >>>>>>>>>>> verify > >>>>>> > >>>>>>>>>>> artifacts that I have signed. > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> -d > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>> On September 18, 2020 23:11:48 Matt Sicker > >>>>>> wrote: > >>>>>> > >>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> If you upload your key to your GitHub profile, that also makes it > >>>>>> > >>>>>>>>>>>> simple to find. For example, just add ".gpg" to your profile URL: > >>>>>> > >>>>>>>>>>>> https://github.com/fluffynuts.gpg > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> On Fri, 18 Sep 2020 at 16:08, Remko Popma > >>>>>> wrote: > >>>>>> > >>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>> +1 remko > >>>>>> > >>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker > >>>>>> wrote: > >>>>>> > >>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> How about your gpg key? I don't think we've imported that to > >>>>>> the KEYS > >>>>>> > >>>>>>>>>>>>>> file as far as I can tell? > >>>>>> > >>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 15:53, Matt Sicker > >>>>>> wrote: > >>>>>> > >>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>> Oh sorry, I didn't notice that you uploaded them there > >>>>>> (wasn't even > >>>>>> > >>>>>>>>>>>>>>> aware that it was possible to be honest). > >>>>>> > >>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 14:43, Davyd McColl > >>>>>> wrote: > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> Hi Matt > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> Release artifacts are available on the GitHub release page > >>>>>> > >>>>>>>>>>>>>>>> (https://GitHub.com/Apache/logging-log4net/releases) - > >>>>>> expand the > >>>>>> > >>>>>>>>>>>>>> assets > >>>>>> > >>>>>>>>>>>>>>>> list if it's collapsed. > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> I'll need someone to upload them to the downloads source > >>>>>> as I > >>>>>> > >>>>>>>>>> think I > >>>>>> > >>>>>>>>>>>>>> don't > >>>>>> > >>>>>>>>>>>>>>>> have access to do so (if I'm wrong, I'd love to be > >>>>>> corrected, > >>>>>> > >>>>>>>>>> because > >>>>>> > >>>>>>>>>>>>>> I'd > >>>>>> > >>>>>>>>>>>>>>>> be less of an annoyance then!). Ralph has stepped in to > >>>>>> help here in > >>>>>> > >>>>>>>>>>>>>> the past. > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> -d > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>> On September 18, 2020 20:09:07 Matt Sicker < > >>>>>> boa...@gmail.com> wrote: > >>>>>> > >>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>> Do you have links to the release artifacts? The download > >>>>>> page > >>>>>> > >>>>>>>>>> links > >>>>>> > >>>>>>>>>>>>>> to > >>>>>> > >>>>>>>>>>>>>>>>> the live site which doesn't have the artifacts yet since > >>>>>> > >>>>>>>>>> they're not > >>>>>> > >>>>>>>>>>>>>>>>> released yet. :) > >>>>>> > >>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 09:05, Davyd McColl > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> wrote: > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>>> Hi all > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>>> I have another potential release available: 2.0.11, > >>>>>> tagged as > >>>>>> > >>>>>>>>>>>>>> rc/2.0.11 > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>>> Changes are really minor: > >>>>>> > >>>>>>>>>>>>>>>>>> - fixed assembly versioning (all assemblies should > >>>>>> report > >>>>>> > >>>>>>>>>> 2.0.11.0 > >>>>>> > >>>>>>>>>>>>>> as their > >>>>>> > >>>>>>>>>>>>>>>>>> version now) > >>>>>> > >>>>>>>>>>>>>>>>>> - properly dispose of StreamWriters within logging > >>>>>> appenders > >>>>>> > >>>>>>>>>>>>>> (thanks to > >>>>>> > >>>>>>>>>>>>>>>>>> @NicholasNoise) > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>>> Binaries are up at > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>> https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 > >>>>>> > >>>>>>>>>>>>>> and I've > >>>>>> > >>>>>>>>>>>>>>>>>> pushed to asf-staging for logging, now up at > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> https://logging.staged.apache.org/log4net/download_log4net.html > >>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>>> Thanks > >>>>>> > >>>>>>>>>>>>>>>>>> -d > >>>>>> > >>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>>>> -- > >>>>>> > >>>>>>>>>>>>>>>>> Matt Sicker > >>>>>> > >>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>>> -- > >>>>>> > >>>>>>>>>>>>>>> Matt Sicker > >>>>>> > >>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>>>> -- > >>>>>> > >>>>>>>>>>>>>> Matt Sicker > >>>>>> > >>>>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> > >>>>>> > >>>>>>>>>>>> -- > >>>>>> > >>>>>>>>>>>> Matt Sicker > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> > >>>>>> > >>>>>>>>>> -- > >>>>>> > >>>>>>>>>> Matt Sicker > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> > >>>>>> > >>>>>>>>> -- > >>>>>> > >>>>>>>>> Matt Sicker > >>>>>> > >>>>>>> > >>>>>> > >>>>>>> > >>>>>> > >>>>>> -- > >>>>> Matt Sicker > >>> > >>> > > > > > > > > -- > > Matt Sicker > > > > -- Matt Sicker
