So the website should be updated and the netcat program notified to use the
correct download.

I can send out the netcat notification in an hour or so(travelling at the
moment) if needed but I don't have the website checked out yet to update
that.

John

On 11 Mar 2018 19:52, "Jan Lahoda" <lah...@gmail.com> wrote:

> On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold <emilian.b...@protonmail.ch>
> wrote:
>
> > I can't find a document explaining what dist.apache.org is.
> >
>
> My understanding is that there is a staging area there ("dev") and a
> release area ("release"). I guess we shouldn't be pointing at the staging
> area except for release votes (and, actually, my understanding is that we
> should remove the stuff from the staging area when the vote ends one way or
> another, although we didn't do that yet for this release). One important
> thing is that:
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip.md5
>
> Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta
> release is RC3:
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
>
> So the RC1 is different from the released package. Anyway, unless someone
> else does it, I'll remove the bits from the staging area sometime soon.
>
> Jan
>
>
> >
> > It seems to be the "staging area" for the binaries.
> >
> > My guess is that somebody fumbled a command from this huge list of steps
> > https://cwiki.apache.org/confluence/display/NETBEANS/
> > Apache+NetBeans+Release+README
> >
> > I don't believe we need to involve the security team until we dismiss a
> > typo.
> >
> > --emi
> >
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >
> > On 8 March 2018 11:57 PM, Antonio <anto...@vieiro.net> wrote:
> >
> > > Hi all,
> > >
> > > José Rodriguez from the users mailing list notes that the
> > >
> > > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> > >
> > > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different
> > MD5
> > >
> > > signatures.
> > >
> > > A quick review shows that the files are indeed different:
> > >
> > > "dist" zip file (\[1\])::
> > >
> > > -   File timestamps 2018 jan 10
> > > -   No "licenses" directory
> > > -   LICENSE file is 57kb
> > >
> > >     "eu zip" file (\[2\]) also downloaded from the Apache mirror
> system::
> > >
> > > -   File timestamps 2018 feb 02
> > > -   "licenses" directory
> > > -   LICENSE file is 245,1 kb
> > >
> > >     I think the one being distributed through the mirror system is the
> > >
> > >     proper one, isn't it? Also I thought that the file hosted at "dist"
> > was
> > >
> > >     automatically distributed to mirrors, wasn't it?
> > >
> > >     I don't think we should raise a ticket against Apache security,
> > should we?
> > >
> > >     Cheers,
> > >
> > >     Antonio
> > >
> > >     \[1\]
> > >
> > >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip
> > >
> > >     \[2\]
> > >
> > >     http://www-eu.apache.org/dist/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip
> > >
> > >     On 08/03/18 20:21, John McDonnell wrote:
> > >
> > >
> > > > Apologies for the spam, cross posting to dev.
> > > >
> > > > @Antonio, do you know if the link on the website for NetBeans 9.0
> Beta
> > > >
> > > > is correct?  Looking at this thread, the signature doesn't match the
> > > >
> > > > RC3.0 thread we voted on.  If we have a small typo we should try to
> > > >
> > > > catch this early in the NetCat phase.
> > > >
> > > > Regards
> > > >
> > > > John
> > > >
> > > > On 8 March 2018 at 07:47, John McDonnell <mcdonnell.j...@gmail.com
> > > >
> > > > mailto:mcdonnell.j...@gmail.com\> wrote:
> > > >
> > > >     Hi Leo,
> > > >
> > > >     I didn't import the keys, as I had previously done this step...
> > > >
> > > >     But
> > > >
> > > >     I'm looking at a different file then you:
> > > >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip(you)
> > > >     https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip(me)
> > > >
> > > >     @Geertjan, the vote thread you referenced earlier, we voted on
> the
> > > >     link I used - and got a good signature, so I think that's okay.
> > But
> > > >     the website points to a different URL (The one Leo checked).  I
> > > >     suspect that the website is using the wrong URL, but before I
> jump
> > > >     to that conclusion, just curious after the successful vote would
> > you
> > > >     have moved theartefact to the location on the website?
> > > >
> > > >     Regards
> > > >
> > > >     John
> > > >
> > > >
> > > >     On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com
> > > >     <mailto:donahu...@gmail.com>> wrote:
> > > >
> > > >         Hi John,
> > > >
> > > >         I noticed that you didn't issue:  gpg --import KEYS
> > > >
> > > >         I tried again, using wget to download the binary zip file,
> same
> > > >         result.  I have also tried different mirrors.  I guess I will
> > > >         just build from source, I was just being lazy.
> > > >
> > > >         (The --list-keys command illustrates I don't already have the
> > > >         KEYS file imported)
> > > >
> > > >         leo@vmw01:~$ *gpg --list-keys*
> > > >         leo@vmw01:~$ *wget
> > > >         https://dist.apache.org/repos/dist/release/incubator/
> > netbeans/KEYS
> > > >         <https://dist.apache.org/repos/dist/release/incubator/
> > netbeans/KEYS>*
> > > >         --2018-03-07 18:40:53--
> > > >         https://dist.apache.org/repos/dist/release/incubator/
> > netbeans/KEYS
> > > >         <https://dist.apache.org/repos/dist/release/incubator/
> > netbeans/KEYS>
> > > >         Resolving dist.apache.org <http://dist.apache.org>
> > > >         (dist.apache.org <http://dist.apache.org>)... 209.188.14.144
> > > >         Connecting to dist.apache.org <http://dist.apache.org>
> > > >         (dist.apache.org
> > > >         <http://dist.apache.org>)|209.188.14.144|:443... connected.
> > > >         HTTP request sent, awaiting response... 200 OK
> > > >         Length: 7594 (7.4K) [text/plain]
> > > >         Saving to: ‘KEYS’
> > > >
> > > >         KEYS
> > > >         100%[=======================================================
> > ================>]
> > > >           7.42K  --.-KB/s    in 0s
> > > >
> > > >         2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
> > > >
> > > >         leo@vmw01:~$ *wget
> > > >         https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip.asc
> > > >         <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc>*
> > > >         --2018-03-07 18:41:11--
> > > >         https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip.asc
> > > >         <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > > >         Resolving dist.apache.org <http://dist.apache.org>
> > > >         (dist.apache.org <http://dist.apache.org>)... 209.188.14.144
> > > >         Connecting to dist.apache.org <http://dist.apache.org>
> > > >         (dist.apache.org
> > > >         <http://dist.apache.org>)|209.188.14.144|:443... connected.
> > > >         HTTP request sent, awaiting response... 200 OK
> > > >         Length: 819 [text/plain]
> > > >         Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
> > > >
> > > >         incubating-netbeans-java-9.0-beta-bin
> > > >         100%[=======================================================
> > ================>]
> > > >             819  --.-KB/s    in 0s
> > > >
> > > >         2018-03-07 18:41:11 (16.4 MB/s) -
> > > >         ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ saved
> > [819/819]
> > > >
> > > >         leo@vmw01:~$ *wget
> > > >         http://apache.cs.utah.edu/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip
> > > >         <http://apache.cs.utah.edu/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip>*
> > > >         --2018-03-07 18:41:41--
> > > >         http://apache.cs.utah.edu/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip
> > > >         <http://apache.cs.utah.edu/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip>
> > > >         Resolving apache.cs.utah.edu <http://apache.cs.utah.edu>
> > > >         (apache.cs.utah.edu <http://apache.cs.utah.edu>)...
> > 155.98.64.87
> > > >         Connecting to apache.cs.utah.edu <http://apache.cs.utah.edu>
> > > >         (apache.cs.utah.edu
> > > >         <http://apache.cs.utah.edu>)|155.98.64.87|:80... connected.
> > > >         HTTP request sent, awaiting response... 200 OK
> > > >         Length: 167193685 (159M) [application/zip]
> > > >         Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
> > > >
> > > >         incubating-netbeans-java-9.0-beta-bin
> > > >         100%[=======================================================
> > ================>]
> > > >         159.45M  8.14MB/s    in 31s
> > > >
> > > >         2018-03-07 18:42:12 (5.22 MB/s) -
> > > >         ‘incubating-netbeans-java-9.0-beta-bin.zip’ saved
> > > >         [167193685/167193685]
> > > >
> > > >         leo@vmw01:~$ *gpg --import KEYS*
> > > >         gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for
> > > >         signing Apache NetBeans & co. releases.) <jlah...@apache.org
> > > >         <mailto:jlah...@apache.org>>" imported
> > > >         gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org
> > > >         <mailto:geert...@apache.org> (Key for signing Apache
> NetBeans
> > &
> > > >         co. releases.) <geert...@apache.org
> > > >         <mailto:geert...@apache.org>>" imported
> > > >         gpg: Total number processed: 2
> > > >         gpg:               imported: 2
> > > >         leo@vmw01:~$ *gpg --verify
> > > >         incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >         incubating-netbeans-java-9.0-beta-bin.zip*
> > > >         gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
> > > >         gpg:                using RSA key B4C1940FEA9364F1
> > > >         gpg: BAD signature from "Jan Lahoda (Key for signing Apache
> > > >         NetBeans & co. releases.) <jlah...@apache.org
> > > >         <mailto:jlah...@apache.org>>" [unknown]
> > > >         leo@vmw01:~$
> > > >
> > > >
> > > >         On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell
> > > >         <mcdonnell.j...@gmail.com <mailto:mcdonnell.j...@gmail.com>>
> > wrote:
> > > >
> > > >             I got something slightly different...
> > > >
> > > >             I have a good signature when verifying the .asc file, but
> > > >             when I do an md5 or sha1 check on the zip file I get
> > > >             different results as to whats currently on the website:
> > > >
> > > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
> > > >             https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip
> > > >             <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip>
> > > >             --2018-03-07 23:48:01--
> > > >             https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip
> > > >             <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip>
> > > >             Resolving dist.apache.org... 209.188.14.144
> > > >             Connecting to dist.apache.org
> > > >             <http://dist.apache.org>|209.188.14.144|:443...
> connected.
> > > >             HTTP request sent, awaiting response... 200 OK
> > > >             Length: 167193685 (159M) [application/octet-stream]
> > > >             Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip'
> > > >
> > > >             incubating-netbeans-java-9.0-beta-bin.zip
> > > >             100%[=========================
> > ============================================================
> > ===========================>]
> > > >             159.45M  2.61MB/s   in 57s
> > > >
> > > >             2018-03-07 23:48:58 (2.80 MB/s) -
> > > >             'incubating-netbeans-java-9.0-beta-bin.zip' saved
> > > >             [167193685/167193685]
> > > >
> > > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
> > > >             https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >             <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > > >             --2018-03-07 23:49:49--
> > > >             https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >             <https://dist.apache.org/repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > > >             Resolving dist.apache.org... 209.188.14.144
> > > >             Connecting to dist.apache.org
> > > >             <http://dist.apache.org>|209.188.14.144|:443...
> connected.
> > > >             HTTP request sent, awaiting response... 200 OK
> > > >             Length: 833 [text/plain]
> > > >             Saving to: 'incubating-netbeans-java-9.0-
> beta-bin.zip.asc'
> > > >
> > > >             incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >             100%[=========================
> > ============================================================
> > ===========================>]
> > > >                 833  --.-KB/s   in 0s
> > > >
> > > >             2018-03-07 23:49:49 (18.9 MB/s) -
> > > >             'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved
> > [833/833]
> > > >
> > > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify
> > > >             incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >             incubating-netbeans-java-9.0-beta-bin.zip
> > > >             gpg: Signature made Sun  4 Feb 13:57:10 2018 GMT
> > > >             gpg:                using RSA key
> > > >             51B0E375B4941714A809F90E13E9F7AE3A4FD551
> > > >             gpg: Good signature from "geert...@apache.org
> > > >             <mailto:geert...@apache.org> (Key for signing Apache
> > > >             NetBeans & co. releases.) <geert...@apache.org
> > > >             <mailto:geert...@apache.org>>" [unknown]
> > > >             gpg: WARNING: This key is not certified with a trusted
> > > >             signature!
> > > >             gpg:          There is no indication that the signature
> > > >             belongs to the owner.
> > > >             Primary key fingerprint: 51B0 E375 B494 1714 A809  F90E
> > 13E9
> > > >             F7AE 3A4F D551
> > > >
> > > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ md5
> > > >             incubating-netbeans-java-9.0-beta-bin.zip
> > > >             MD5 (incubating-netbeans-java-9.0-beta-bin.zip) =
> > > >             05d71d0e2a9360b3402c6068425773db
> > > >             Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum
> > > >             incubating-netbeans-java-9.0-beta-bin.zip
> > > >             0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b
> > > >             incubating-netbeans-java-9.0-beta-bin.zip
> > > >
> > > >             Regards
> > > >
> > > >             John
> > > >
> > > >             On 7 March 2018 at 23:12, Geertjan Wielenga
> > > >             <geertjan.wiele...@googlemail.com
> > > >             <mailto:geertjan.wiele...@googlemail.com>> wrote:
> > > >
> > > >                 Would be good if someone would verify this -- when I
> > > >                 look at the VOTE thread, the source signatures have
> > been
> > > >                 verified:
> > > >
> > > >                 https://lists.apache.org/thread.html/
> > 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%
> > 3Cdev.netbeans.apache.org%3E
> > > >                 <https://lists.apache.org/thread.html/
> > 859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%
> > 3Cdev.netbeans.apache.org%3E>
> > > >
> > > >                 However, quite possibly the convenience binary
> > signature
> > > >                 has been checked -- since Apache releases source code
> > > >                 and not binaries, which are optionally included for
> > > >                 convenience only.
> > > >
> > > >                 Gj
> > > >
> > > >                 On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue
> > > >                 <donahu...@gmail.com <mailto:donahu...@gmail.com>>
> > wrote:
> > > >
> > > >                     Hi,
> > > >
> > > >                     Is this the right list for this question?
> > > >
> > > >                     I'm trying to verify the PGP ASC and KEY file
> but I
> > > >                     get a bad signature message.
> > > >
> > > >                     I'm here:
> > > >                     https://netbeans.apache.org/
> > download/nb90/nb90-beta.html
> > > >                     <https://netbeans.apache.org/
> > download/nb90/nb90-beta.html>
> > > >
> > > >                     In Terminal:
> > > >                     wget
> > > >                     https://dist.apache.org/repos/
> > dist/dev/incubator/netbeans/incubating-netbeans-java/
> incubating-9.0-beta/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >                     <https://dist.apache.org/
> repos/dist/dev/incubator/
> > netbeans/incubating-netbeans-java/incubating-9.0-beta/
> > incubating-netbeans-java-9.0-beta-bin.zip.asc>
> > > >
> > > >                     wget
> > > >                     https://dist.apache.org/repos/
> > dist/release/incubator/netbeans/KEYS
> > > >                     <https://dist.apache.org/
> > repos/dist/release/incubator/netbeans/KEYS>
> > > >
> > > >                     pgp --import KEYS
> > > >
> > > >                     gpg --verify
> > > >                     incubating-netbeans-java-9.0-beta-bin.zip.asc
> > > >                     Downloads/incubating-netbeans-
> > java-9.0-beta-bin.zip
> > > >
> > > >
> > > >                     output:
> > > >
> > > >                     gpg: Signature made Wed 10 Jan 2018 03:41:31 PM
> MST
> > > >                     gpg:                using RSA key
> B4C1940FEA9364F1
> > > >                     gpg: BAD signature from "Jan Lahoda (Key for
> > signing
> > > >                     Apache NetBeans & co. releases.) <
> > jlah...@apache.org
> > > >                     <mailto:jlah...@apache.org>>" [unknown]
> > > >
> > > >                     What did I forget to do?
> > > >
> > >
> > > --
> > >
> > > To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org
> > >
> > > For additional commands, e-mail: dev-help@netbeans.incubator.
> apache.org
> > >
> > > For further information about the NetBeans mailing lists, visit:
> > >
> > > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org
> > For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org
> >
> > For further information about the NetBeans mailing lists, visit:
> > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >
> >
> >
> >
>

Reply via email to