On Mon, Apr 29, 2019 at 12:48 PM Zoltan Ivanfi <[email protected]> wrote: > > Hi, > > An excerpt from > https://www.apache.org/dev/release-signing#verifying-signature : "A > signature is valid, if gpg verifies the .asc as a good signature, and > doesn't complain about expired or revoked keys." Another excerpt from > https://www.apache.org/dev/release-signing#check-integrity that > reinforces that signing each other's keys is optional: "If you are > connected to the Apache web of trust then this also offers superior > security." > > That being said I support signing each other's keys. Of course, you > will still need one key somewhere along the signing chain that you > trust. I see that a few PMC members have signed keys, how should we > approach this task? The HOWTO suggests public conferences and key > signing parties, but I hope there is a way to do that remotely. Would > members who are already in the web of trust feel comfortable signing > our keys based the on the following? > > - Our keys have been committed to the central KEYS file using our > apache credentials. > - We could personally confirm this in the next Parquet sync. > - We could even read the key ID-s out loud if needed. >
In person is best (if it is a person whose identity you are sure of), for people I know personally what I've done to sign their key remotely is have them write down the PGP fingerprint and show the paper to me in a photograph of themselves or in a video call. I don't know whether this is a good security practice but it seems better than doing things over e-mail =) - Wes > Br, > > Zoltan > > > On Mon, Apr 29, 2019 at 7:11 PM Zoltan Ivanfi <[email protected]> wrote: > > > > Hi Wes, > > > > Gabor's key is in the KEYS file available at > > https://dist.apache.org/repos/dist/dev/parquet/KEYS Others may correct me > > if I'm mistaken, but as far as I know, this is all that is required. I > > mentioned this in the verification steps as well ("4. Verify the signature > > by running `gpg --verify apache-parquet-1.11.0.tar.gz.asc`. It should say > > "Good signature", the warning about the key not being trusted can be > > ignored"). My signing key is also unsigned, because instead of signing each > > other's keys we depend on the fact that only privileged users can put their > > key into the central KEYS file. > > > > Br, > > > > Zoltan > > > > On Mon, Apr 29, 2019 at 6:46 PM Wes McKinney <[email protected]> wrote: > >> > >> -1 > >> > >> Gabor's PGP key is unsigned. > >> > >> $ gpg --verify apache-parquet-1.11.0.tar.gz.asc > >> gpg: assuming signed data in 'apache-parquet-1.11.0.tar.gz' > >> gpg: Signature made Tue 19 Mar 2019 08:55:48 AM CDT > >> gpg: using RSA key 6FB82970311551C7CEF131F5021057DBF048F543 > >> gpg: Good signature from "Gabor Szadovszky <[email protected]>" [unknown] > >> gpg: WARNING: This key is not certified with a trusted signature! > >> gpg: There is no indication that the signature belongs to the > >> owner. > >> Primary key fingerprint: 6FB8 2970 3115 51C7 CEF1 31F5 0210 57DB F048 F543 > >> > >> On Tue, Apr 16, 2019 at 4:10 AM Gabor Szadovszky <[email protected]> wrote: > >> > > >> > Based on our release process ( > >> > http://parquet.apache.org/documentation/how-to-release/) and the related > >> > scripts we use the final tag for an RC. So, the existence of this tag > >> > does > >> > not mean 1.11.0 is released. > >> > However, I agree this is misleading and not a good practice to remove > >> > already committed tags and re-add them to another place (when a new RC > >> > comes out). I think, we should update our release process to use RC tags > >> > and put the final tag only after it is officially released. But it is the > >> > story of the next release... > >> > > >> > > >> > On Sat, Apr 13, 2019 at 8:00 PM 俊杰陈 <[email protected]> wrote: > >> > > >> > > From the github release page, I see the 1.11.0 already released. Is it > >> > > still a rc version? > >> > > https://github.com/apache/parquet-mr/releases/tag/apache-parquet-1.11.0 > >> > > > >> > > On Fri, Apr 12, 2019 at 8:10 AM Ryan Blue <[email protected]> > >> > > wrote: > >> > > > >> > > > Personally, I haven't had enough time to devote to Parquet lately and > >> > > that > >> > > > means I haven't validated that this release's new features are okay > >> > > > to > >> > > > release. I'm hoping sometime in the next few weeks I'll be able to > >> > > > vote > >> > > on > >> > > > this. > >> > > > > >> > > > On Thu, Apr 11, 2019 at 1:23 PM Andy Grove <[email protected]> > >> > > > wrote: > >> > > > > >> > > > > I'm curious if there is any update on this vote? The thread seems > >> > > eerily > >> > > > > quiet. > >> > > > > > >> > > > > Thanks. > >> > > > > > >> > > > > On 4/3/19, 10:38 AM, "Andy Grove" <[email protected]> wrote: > >> > > > > > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL > >> > > > > > >> > > > > > >> > > > > I have been able to run mvn verify and have also tested this RC > >> > > > > against our internal systems, with no issue. > >> > > > > > >> > > > > +1 (non-binding) > >> > > > > > >> > > > > I have raised the issue about Hadoop-lzo, but that is present > >> > > > > in > >> > > the > >> > > > > 1.10.1 release also. > >> > > > > > >> > > > > Andy. > >> > > > > > >> > > > > > >> > > > > On 3/20/19, 7:50 AM, "Zoltan Ivanfi" > >> > > > > <[email protected]> > >> > > > wrote: > >> > > > > > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL > >> > > > > > >> > > > > > >> > > > > +1 (binding) > >> > > > > > >> > > > > signature matches > >> > > > > git hash matches the git tag > >> > > > > source tarball matches the git tag > >> > > > > unit tests and integration tests pass > >> > > > > > >> > > > > On Tue, Mar 19, 2019 at 3:00 PM Gabor Szadovszky < > >> > > > [email protected]> > >> > > > > wrote: > >> > > > > > >> > > > > > Dear Parquet Users and Developers, > >> > > > > > > >> > > > > > I propose the following RC to be released as the official > >> > > > Apache > >> > > > > > Parquet 1.11.0 release: > >> > > > > > > >> > > > > > The commit id is 9756b0e2b35437a09716707a81e2ac0c187112ed > >> > > > > > * This corresponds to the tag: apache-parquet-1.11.0 > >> > > > > > * > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fparquet-mr%2Ftree%2F9756b0e2b35437a09716707a81e2ac0c187112ed&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=v6kHzIIpJQp%2Fq7fuR%2ByHVwGV7vZ7lUKupyqKZwmQeFI%3D&reserved=0 > >> > > > > > > >> > > > > > The release tarball, signature, and checksums are here: > >> > > > > > * > >> > > > > > > >> > > > > > >> > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2Fapache-parquet-1.11.0-rc6%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=RVlztCju4ZoZz5vnF8f5RxE7kPmZoKMj3Ipo4x0Aj4k%3D&reserved=0 > >> > > > > > > >> > > > > > You can find the KEYS file here: > >> > > > > > * > >> > > > > > >> > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2FKEYS&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=8xPAIJ4EkJPXXxZ2hTH%2BuJOtCOrCspYXkjsl%2B44Jb20%3D&reserved=0 > >> > > > > > > >> > > > > > Binary artifacts are staged in Nexus here: > >> > > > > > * > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepository.apache.org%2Fcontent%2Fgroups%2Fstaging%2Forg%2Fapache%2Fparquet%2Fparquet%2F1.11.0%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342868310&sdata=%2FIW9qYFnwvuL7QgkrYxX%2BZWJ1fcaZz%2Bq1tRJWKfQERU%3D&reserved=0 > >> > > > > > > >> > > > > > This release includes the following new features: > >> > > > > > - PARQUET-1201 - Column indexes > >> > > > > > - PARQUET-1253 - Support for new logical type > >> > > > > representation > >> > > > > > - PARQUET-1381 - Add merge blocks command to > >> > > > > parquet-tools > >> > > > > > - PARQUET-1388 - Nanosecond precision time and timestamp > >> > > > > - > >> > > > > parquet-mr > >> > > > > > > >> > > > > > The release also includes bug fixes, including: > >> > > > > > - PARQUET-1472: Dictionary filter fails on > >> > > > FIXED_LEN_BYTE_ARRAY. > >> > > > > > - PARQUET-1510: Fix notEq for optional columns with null > >> > > > values. > >> > > > > > - PARQUET-1533: TestSnappy() throws OOM exception with > >> > > > > Parquet-1485 change > >> > > > > > - PARQUET-1531: Page row count limit causes empty pages > >> > > > > to be > >> > > > > written from > >> > > > > > MessageColumnIO > >> > > > > > - PARQUET-1544: Possible over-shading of modules > >> > > > > > > >> > > > > > The following change has been reverted so it is not part > >> > > > > of > >> > > any > >> > > > > public > >> > > > > > release: > >> > > > > > - PARQUET-1381: Add merge blocks command to parquet-tools > >> > > > > > > >> > > > > > Please download, verify, and test. The vote will be open > >> > > > > for > >> > > at > >> > > > > least 72 > >> > > > > > hours. > >> > > > > > > >> > > > > > Thanks, > >> > > > > > Gabor > >> > > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > -- > >> > > > Ryan Blue > >> > > > Software Engineer > >> > > > Netflix > >> > > > > >> > > > >> > > > >> > > -- > >> > > Thanks & Best Regards > >> > >
