On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold <emilian.b...@protonmail.ch>
wrote:

> I can't find a document explaining what dist.apache.org is.
>

My understanding is that there is a staging area there ("dev") and a
release area ("release"). I guess we shouldn't be pointing at the staging
area except for release votes (and, actually, my understanding is that we
should remove the stuff from the staging area when the vote ends one way or
another, although we didn't do that yet for this release). One important
thing is that:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.md5

Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta
release is RC3:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/

So the RC1 is different from the released package. Anyway, unless someone
else does it, I'll remove the bits from the staging area sometime soon.

Jan


>
> It seems to be the "staging area" for the binaries.
>
> My guess is that somebody fumbled a command from this huge list of steps
> https://cwiki.apache.org/confluence/display/NETBEANS/
> Apache+NetBeans+Release+README
>
> I don't believe we need to involve the security team until we dismiss a
> typo.
>
> --emi
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On 8 March 2018 11:57 PM, Antonio <anto...@vieiro.net> wrote:
>
> > Hi all,
> >
> > José Rodriguez from the users mailing list notes that the
> >
> > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> >
> > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different
> MD5
> >
> > signatures.
> >
> > A quick review shows that the files are indeed different:
> >
> > "dist" zip file (\[1\])::
> >
> > -   File timestamps 2018 jan 10
> > -   No "licenses" directory
> > -   LICENSE file is 57kb
> >
> >     "eu zip" file (\[2\]) also downloaded from the Apache mirror system::
> >
> > -   File timestamps 2018 feb 02
> > -   "licenses" directory
> > -   LICENSE file is 245,1 kb
> >
> >     I think the one being distributed through the mirror system is the
> >
> >     proper one, isn't it? Also I thought that the file hosted at "dist"
> was
> >
> >     automatically distributed to mirrors, wasn't it?
> >
> >     I don't think we should raise a ticket against Apache security,
> should we?
> >
> >     Cheers,
> >
> >     Antonio
> >
> >     \[1\]
> >
> >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip
> >
> >     \[2\]
> >
> >     http://www-eu.apache.org/dist/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip
> >
> >     On 08/03/18 20:21, John McDonnell wrote:
> >
> >
> > > Apologies for the spam, cross posting to dev.
> > >
> > > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta
> > >
> > > is correct?  Looking at this thread, the signature doesn't match the
> > >
> > > RC3.0 thread we voted on.  If we have a small typo we should try to
> > >
> > > catch this early in the NetCat phase.
> > >
> > > Regards
> > >
> > > John
> > >
> > > On 8 March 2018 at 07:47, John McDonnell <mcdonnell.j...@gmail.com
> > >
> > > mailto:mcdonnell.j...@gmail.com\> wrote:
> > >
> > >     Hi Leo,
> > >
> > >     I didn't import the keys, as I had previously done this step...
> > >
> > >     But
> > >
> > >     I'm looking at a different file then you:
> > >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip(you)
> > >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip(me)
> > >
> > >     @Geertjan, the vote thread you referenced earlier, we voted on the
> > >     link I used - and got a good signature, so I think that's okay.
> But
> > >     the website points to a different URL (The one Leo checked).  I
> > >     suspect that the website is using the wrong URL, but before I jump
> > >     to that conclusion, just curious after the successful vote would
> you
> > >     have moved theartefact to the location on the website?
> > >
> > >     Regards
> > >
> > >     John
> > >
> > >
> > >     On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com
> > >     <mailto:donahu...@gmail.com>> wrote:
> > >
> > >         Hi John,
> > >
> > >         I noticed that you didn't issue:  gpg --import KEYS
> > >
> > >         I tried again, using wget to download the binary zip file, same
> > >         result.  I have also tried different mirrors.  I guess I will
> > >         just build from source, I was just being lazy.
> > >
> > >         (The --list-keys command illustrates I don't already have the
> > >         KEYS file imported)
> > >
> > >         leo@vmw01:~$ *gpg --list-keys*
> > >         leo@vmw01:~$ *wget
> > >         https://dist.apache.org/repos/dist/release/incubator/
> netbeans/KEYS
> > >         <https://dist.apache.org/repos/dist/release/incubator/
> netbeans/KEYS>*
> > >         --2018-03-07 18:40:53--
> > >         https://dist.apache.org/repos/dist/release/incubator/
> netbeans/KEYS
> > >         <https://dist.apache.org/repos/dist/release/incubator/
> netbeans/KEYS>
> > >         Resolving dist.apache.org <http://dist.apache.org>
> > >         (dist.apache.org <http://dist.apache.org>)... 209.188.14.144
> > >         Connecting to dist.apache.org <http://dist.apache.org>
> > >         (dist.apache.org
> > >         <http://dist.apache.org>)|209.188.14.144|:443... connected.
> > >         HTTP request sent, awaiting response... 200 OK
> > >         Length: 7594 (7.4K) [text/plain]
> > >         Saving to: ‘KEYS’
> > >
> > >         KEYS
> > >         100%[=======================================================
> ================>]
> > >           7.42K  --.-KB/s    in 0s
> > >
> > >         2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
> > >
> > >         leo@vmw01:~$ *wget
> > >         https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip.asc
> > >         <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>*
> > >         --2018-03-07 18:41:11--
> > >         https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip.asc
> > >         <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > >         Resolving dist.apache.org <http://dist.apache.org>
> > >         (dist.apache.org <http://dist.apache.org>)... 209.188.14.144
> > >         Connecting to dist.apache.org <http://dist.apache.org>
> > >         (dist.apache.org
> > >         <http://dist.apache.org>)|209.188.14.144|:443... connected.
> > >         HTTP request sent, awaiting response... 200 OK
> > >         Length: 819 [text/plain]
> > >         Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
> > >
> > >         incubating-netbeans-java-9.0-beta-bin
> > >         100%[=======================================================
> ================>]
> > >             819  --.-KB/s    in 0s
> > >
> > >         2018-03-07 18:41:11 (16.4 MB/s) -
> > >         ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ saved
> [819/819]
> > >
> > >         leo@vmw01:~$ *wget
> > >         http://apache.cs.utah.edu/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip
> > >         <http://apache.cs.utah.edu/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip>*
> > >         --2018-03-07 18:41:41--
> > >         http://apache.cs.utah.edu/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip
> > >         <http://apache.cs.utah.edu/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip>
> > >         Resolving apache.cs.utah.edu <http://apache.cs.utah.edu>
> > >         (apache.cs.utah.edu <http://apache.cs.utah.edu>)...
> 155.98.64.87
> > >         Connecting to apache.cs.utah.edu <http://apache.cs.utah.edu>
> > >         (apache.cs.utah.edu
> > >         <http://apache.cs.utah.edu>)|155.98.64.87|:80... connected.
> > >         HTTP request sent, awaiting response... 200 OK
> > >         Length: 167193685 (159M) [application/zip]
> > >         Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
> > >
> > >         incubating-netbeans-java-9.0-beta-bin
> > >         100%[=======================================================
> ================>]
> > >         159.45M  8.14MB/s    in 31s
> > >
> > >         2018-03-07 18:42:12 (5.22 MB/s) -
> > >         ‘incubating-netbeans-java-9.0-beta-bin.zip’ saved
> > >         [167193685/167193685]
> > >
> > >         leo@vmw01:~$ *gpg --import KEYS*
> > >         gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for
> > >         signing Apache NetBeans & co. releases.) <jlah...@apache.org
> > >         <mailto:jlah...@apache.org>>" imported
> > >         gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org
> > >         <mailto:geert...@apache.org> (Key for signing Apache NetBeans
> &
> > >         co. releases.) <geert...@apache.org
> > >         <mailto:geert...@apache.org>>" imported
> > >         gpg: Total number processed: 2
> > >         gpg:               imported: 2
> > >         leo@vmw01:~$ *gpg --verify
> > >         incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >         incubating-netbeans-java-9.0-beta-bin.zip*
> > >         gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
> > >         gpg:                using RSA key B4C1940FEA9364F1
> > >         gpg: BAD signature from "Jan Lahoda (Key for signing Apache
> > >         NetBeans & co. releases.) <jlah...@apache.org
> > >         <mailto:jlah...@apache.org>>" [unknown]
> > >         leo@vmw01:~$
> > >
> > >
> > >         On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell
> > >         <mcdonnell.j...@gmail.com <mailto:mcdonnell.j...@gmail.com>>
> wrote:
> > >
> > >             I got something slightly different...
> > >
> > >             I have a good signature when verifying the .asc file, but
> > >             when I do an md5 or sha1 check on the zip file I get
> > >             different results as to whats currently on the website:
> > >
> > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
> > >             https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip
> > >             <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip>
> > >             --2018-03-07 23:48:01--
> > >             https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip
> > >             <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip>
> > >             Resolving dist.apache.org... 209.188.14.144
> > >             Connecting to dist.apache.org
> > >             <http://dist.apache.org>|209.188.14.144|:443... connected.
> > >             HTTP request sent, awaiting response... 200 OK
> > >             Length: 167193685 (159M) [application/octet-stream]
> > >             Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip'
> > >
> > >             incubating-netbeans-java-9.0-beta-bin.zip
> > >             100%[=========================
> ============================================================
> ===========================>]
> > >             159.45M  2.61MB/s   in 57s
> > >
> > >             2018-03-07 23:48:58 (2.80 MB/s) -
> > >             'incubating-netbeans-java-9.0-beta-bin.zip' saved
> > >             [167193685/167193685]
> > >
> > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
> > >             https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >             <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > >             --2018-03-07 23:49:49--
> > >             https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >             <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > >             Resolving dist.apache.org... 209.188.14.144
> > >             Connecting to dist.apache.org
> > >             <http://dist.apache.org>|209.188.14.144|:443... connected.
> > >             HTTP request sent, awaiting response... 200 OK
> > >             Length: 833 [text/plain]
> > >             Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc'
> > >
> > >             incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >             100%[=========================
> ============================================================
> ===========================>]
> > >                 833  --.-KB/s   in 0s
> > >
> > >             2018-03-07 23:49:49 (18.9 MB/s) -
> > >             'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved
> [833/833]
> > >
> > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify
> > >             incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >             incubating-netbeans-java-9.0-beta-bin.zip
> > >             gpg: Signature made Sun  4 Feb 13:57:10 2018 GMT
> > >             gpg:                using RSA key
> > >             51B0E375B4941714A809F90E13E9F7AE3A4FD551
> > >             gpg: Good signature from "geert...@apache.org
> > >             <mailto:geert...@apache.org> (Key for signing Apache
> > >             NetBeans & co. releases.) <geert...@apache.org
> > >             <mailto:geert...@apache.org>>" [unknown]
> > >             gpg: WARNING: This key is not certified with a trusted
> > >             signature!
> > >             gpg:          There is no indication that the signature
> > >             belongs to the owner.
> > >             Primary key fingerprint: 51B0 E375 B494 1714 A809  F90E
> 13E9
> > >             F7AE 3A4F D551
> > >
> > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ md5
> > >             incubating-netbeans-java-9.0-beta-bin.zip
> > >             MD5 (incubating-netbeans-java-9.0-beta-bin.zip) =
> > >             05d71d0e2a9360b3402c6068425773db
> > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum
> > >             incubating-netbeans-java-9.0-beta-bin.zip
> > >             0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b
> > >             incubating-netbeans-java-9.0-beta-bin.zip
> > >
> > >             Regards
> > >
> > >             John
> > >
> > >             On 7 March 2018 at 23:12, Geertjan Wielenga
> > >             <geertjan.wiele...@googlemail.com
> > >             <mailto:geertjan.wiele...@googlemail.com>> wrote:
> > >
> > >                 Would be good if someone would verify this -- when I
> > >                 look at the VOTE thread, the source signatures have
> been
> > >                 verified:
> > >
> > >                 https://lists.apache.org/thread.html/
> 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%
> 3Cdev.netbeans.apache.org%3E
> > >                 <https://lists.apache.org/thread.html/
> 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%
> 3Cdev.netbeans.apache.org%3E>
> > >
> > >                 However, quite possibly the convenience binary
> signature
> > >                 has been checked -- since Apache releases source code
> > >                 and not binaries, which are optionally included for
> > >                 convenience only.
> > >
> > >                 Gj
> > >
> > >                 On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue
> > >                 <donahu...@gmail.com <mailto:donahu...@gmail.com>>
> wrote:
> > >
> > >                     Hi,
> > >
> > >                     Is this the right list for this question?
> > >
> > >                     I'm trying to verify the PGP ASC and KEY file but I
> > >                     get a bad signature message.
> > >
> > >                     I'm here:
> > >                     https://netbeans.apache.org/
> download/nb90/nb90-beta.html
> > >                     <https://netbeans.apache.org/
> download/nb90/nb90-beta.html>
> > >
> > >                     In Terminal:
> > >                     wget
> > >                     https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >                     <https://dist.apache.org/repos/dist/dev/incubator/
> netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > >
> > >                     wget
> > >                     https://dist.apache.org/repos/
> dist/release/incubator/netbeans/KEYS
> > >                     <https://dist.apache.org/
> repos/dist/release/incubator/netbeans/KEYS>
> > >
> > >                     pgp --import KEYS
> > >
> > >                     gpg --verify
> > >                     incubating-netbeans-java-9.0-beta-bin.zip.asc
> > >                     Downloads/incubating-netbeans-
> java-9.0-beta-bin.zip
> > >
> > >
> > >                     output:
> > >
> > >                     gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
> > >                     gpg:                using RSA key B4C1940FEA9364F1
> > >                     gpg: BAD signature from "Jan Lahoda (Key for
> signing
> > >                     Apache NetBeans & co. releases.) <
> jlah...@apache.org
> > >                     <mailto:jlah...@apache.org>>" [unknown]
> > >
> > >                     What did I forget to do?
> > >
> >
> > --
> >
> > To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org
> >
> > For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org
> >
> > For further information about the NetBeans mailing lists, visit:
> >
> > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org
> For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>

Reply via email to