Sent from my iPhone
> On Nov 5, 2018, at 7:09 AM, Keith N. McKenna <keith.mcke...@comcast.net>
> wrote:
>
>> On 11/5/2018 1:41 AM, Peter kovacs wrote:
>> Source signing will be done tonight.
>> Thanks Andrea for the detailed line-up.
>> Also I hope all requirements are met in the second mail.
>> However there seems a misunderstanding on Keith side. It is not required to
>> vote all test marks.
>> It is required to fill in general and then what OS Version you have tested
>> and if you have tested from source or not.
>> Simone state in order to create a binding vote it has to be tested from
>> source.
>> We need 3 of those.
>> Also we should have an overview which Binaries has been reviewed.
> Peter;
> Below are the statements from your second vote thread that had me confused:
>> In order to create a binding vote individuals are REQUIRED to
>>
>> * download all signed _source code_ packages onto their own hardware,
>>
>> * verify that they meet all requirements of ASF policy on releases
>> as described below,
>>
>> * validate all cryptographic signatures,
>>
>> * compile as provided, and test the result on their own platform.
>>
>> In order to create a normal vote individuals are REQUIRED to
>>
>> * download all signed _binary_ packages onto their own hardware,
>>
>> * verify that they meet all requirements of ASF policy on releases
>> as described below,
>>
>> * validate all cryptographic signatures,
>>
>> * compile as provided, and test the result on their own platform.
>>
>>
> Looking at the above through the lens of a newcomer to the project
> wanting to participate in there first vote the description of the
> requirements of a normal vote, as opposed to the binding vote described
> above it vote above it, requires that I download and compile the source.
> If that was not the intention you meant to convey I truly apologize. The
> description of the 2 types of possible votes does created confusion in
> the mind of at least this one individual.
I am confused too. Since I’ve never been able to build 4.1.x on my MacOS (I
could build 3.4) I guess I can’t make a binding vote and won’t do so.
My practice had been to validate the source release and test the Mac releases.
To me that was enough.
Good luck.
Regards,
Dave
>
> Regards
> Keith
>
>
>> That is all.
>> All the best
>> Peter
>>
>> Am 5. November 2018 00:22:33 MEZ schrieb Matthias Seidel
>> <matthias.sei...@hamburg.de>:
>>> Hi Andrea,
>>>
>>>> Am 05.11.18 um 00:07 schrieb Andrea Pescetti:
>>>>> On 31/10/2018 Marcus wrote:
>>>>> To make it an official vote I miss the following information:
>>>>> - What exactly do we vote for (link to the source and binaries)?
>>>>
>>>> Yes please, let's try to be reasonably serious about releases: due to
>>>> legal implications (among other things), there are some formalities
>>>> that are required; nothing more than what we did for any other
>>> Release
>>>> Candidate in history.
>>>>
>>>> I assume we are voting on (this is the only 4.1.6-RC1 available, but
>>>> it needs to be recorded in the vote discussion!)
>>>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/
>>>>
>>>>> - What is the time for the vote? Please more than just the normal 72
>>>>> hours so that we all can use a weekend for more testing.
>>>>
>>>> Elsewhere Peter mentioned until Wednesday 7 November but again this
>>>> should be in the vote thread (so, here).
>>>>
>>>> And most important: the Release Manager (Peter) must sign the source
>>>> files. I've just spent a lot of time trying to make sense of various
>>>> ways to have multiple signature in one file, concluding that it is
>>>> easy to do that for a binary signature, but it is a hack to do so for
>>>> the ASCII-armored signatures we use.
>>>>
>>>> So, in short, Peter as the Release Manager should rectify things by:
>>>>
>>>> 1) Confirming that the URL and deadline above are correct
>>>>
>>>> 2) Replace, before the vote ends, current signatures with only his
>>>> signature as follows:
>>>>
>>>> $ svn checkout
>>>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/source
>>>> $ rm *.asc
>>>> $ gpg -a -b --digest-algo=SHA512 *.bz2
>>>> $ gpg -a -b --digest-algo=SHA512 *.gz
>>>> $ gpg -a -b --digest-algo=SHA512 *.zip
>>>> $ svn commit
>>>>
>>>> About this second item, I see that Matthias concatenated his
>>> signature
>>>> to Jim's one: this is possible for the binary format but GPG will
>>>> complain if this is done for the ASCII format, and as you can see by
>>>> searching the net there is no clean way to do it. I checked back in
>>>> version 4.1.2 (that was signed by Juergen and me) and I found out
>>> that
>>>> I had simply replaced Juergen's signature with mine in that case (I
>>>> was the Release Manager for 4.1.2). We can do the same this time.
>>>
>>> I found double signatures in 4.1.3:
>>> https://archive.apache.org/dist/openoffice/4.1.3/source/apache-openoffice-4.1.3-r1761381-src.zip.asc
>>>
>>> But yes, GPG complains about it and will only verify the first. So
>>> Peter's signature should be the only one...
>>>
>>> (Of course he could also use our hash-sign.sh, which is fixed now for
>>> SHA512).
>>>
>>> Regards,
>>>
>>> Matthias
>>>
>>>>
>>>> Regards,
>>>> Andrea.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
>>>> For additional commands, e-mail: dev-h...@openoffice.apache.org
>>>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
