Hi, A video call sounds more secure to me than a photo which can be easily manipulated. We could spend 5 minutes on it in the next Parquet sync or alternatively is there someone already in the web of trust who would volunteer to do a private video call with us before or after the sync?
Thanks, Zoltan On Mon, Apr 29, 2019 at 7:52 PM Wes McKinney <[email protected]> wrote: > > On Mon, Apr 29, 2019 at 12:48 PM Zoltan Ivanfi <[email protected]> > wrote: > > > > Hi, > > > > An excerpt from > > https://www.apache.org/dev/release-signing#verifying-signature : "A > > signature is valid, if gpg verifies the .asc as a good signature, and > > doesn't complain about expired or revoked keys." Another excerpt from > > https://www.apache.org/dev/release-signing#check-integrity that > > reinforces that signing each other's keys is optional: "If you are > > connected to the Apache web of trust then this also offers superior > > security." > > > > That being said I support signing each other's keys. Of course, you > > will still need one key somewhere along the signing chain that you > > trust. I see that a few PMC members have signed keys, how should we > > approach this task? The HOWTO suggests public conferences and key > > signing parties, but I hope there is a way to do that remotely. Would > > members who are already in the web of trust feel comfortable signing > > our keys based the on the following? > > > > - Our keys have been committed to the central KEYS file using our > > apache credentials. > > - We could personally confirm this in the next Parquet sync. > > - We could even read the key ID-s out loud if needed. > > > > In person is best (if it is a person whose identity you are sure of), > for people I know personally what I've done to sign their key remotely > is have them write down the PGP fingerprint and show the paper to me > in a photograph of themselves or in a video call. I don't know whether > this is a good security practice but it seems better than doing things > over e-mail =) > > - Wes > > > Br, > > > > Zoltan > > > > > > On Mon, Apr 29, 2019 at 7:11 PM Zoltan Ivanfi <[email protected]> wrote: > > > > > > Hi Wes, > > > > > > Gabor's key is in the KEYS file available at > > > https://dist.apache.org/repos/dist/dev/parquet/KEYS Others may correct me > > > if I'm mistaken, but as far as I know, this is all that is required. I > > > mentioned this in the verification steps as well ("4. Verify the > > > signature by running `gpg --verify apache-parquet-1.11.0.tar.gz.asc`. It > > > should say "Good signature", the warning about the key not being trusted > > > can be ignored"). My signing key is also unsigned, because instead of > > > signing each other's keys we depend on the fact that only privileged > > > users can put their key into the central KEYS file. > > > > > > Br, > > > > > > Zoltan > > > > > > On Mon, Apr 29, 2019 at 6:46 PM Wes McKinney <[email protected]> wrote: > > >> > > >> -1 > > >> > > >> Gabor's PGP key is unsigned. > > >> > > >> $ gpg --verify apache-parquet-1.11.0.tar.gz.asc > > >> gpg: assuming signed data in 'apache-parquet-1.11.0.tar.gz' > > >> gpg: Signature made Tue 19 Mar 2019 08:55:48 AM CDT > > >> gpg: using RSA key > > >> 6FB82970311551C7CEF131F5021057DBF048F543 > > >> gpg: Good signature from "Gabor Szadovszky <[email protected]>" [unknown] > > >> gpg: WARNING: This key is not certified with a trusted signature! > > >> gpg: There is no indication that the signature belongs to the > > >> owner. > > >> Primary key fingerprint: 6FB8 2970 3115 51C7 CEF1 31F5 0210 57DB F048 > > >> F543 > > >> > > >> On Tue, Apr 16, 2019 at 4:10 AM Gabor Szadovszky <[email protected]> > > >> wrote: > > >> > > > >> > Based on our release process ( > > >> > http://parquet.apache.org/documentation/how-to-release/) and the > > >> > related > > >> > scripts we use the final tag for an RC. So, the existence of this tag > > >> > does > > >> > not mean 1.11.0 is released. > > >> > However, I agree this is misleading and not a good practice to remove > > >> > already committed tags and re-add them to another place (when a new RC > > >> > comes out). I think, we should update our release process to use RC > > >> > tags > > >> > and put the final tag only after it is officially released. But it is > > >> > the > > >> > story of the next release... > > >> > > > >> > > > >> > On Sat, Apr 13, 2019 at 8:00 PM 俊杰陈 <[email protected]> wrote: > > >> > > > >> > > From the github release page, I see the 1.11.0 already released. Is > > >> > > it > > >> > > still a rc version? > > >> > > https://github.com/apache/parquet-mr/releases/tag/apache-parquet-1.11.0 > > >> > > > > >> > > On Fri, Apr 12, 2019 at 8:10 AM Ryan Blue <[email protected]> > > >> > > wrote: > > >> > > > > >> > > > Personally, I haven't had enough time to devote to Parquet lately > > >> > > > and > > >> > > that > > >> > > > means I haven't validated that this release's new features are > > >> > > > okay to > > >> > > > release. I'm hoping sometime in the next few weeks I'll be able to > > >> > > > vote > > >> > > on > > >> > > > this. > > >> > > > > > >> > > > On Thu, Apr 11, 2019 at 1:23 PM Andy Grove <[email protected]> > > >> > > > wrote: > > >> > > > > > >> > > > > I'm curious if there is any update on this vote? The thread seems > > >> > > eerily > > >> > > > > quiet. > > >> > > > > > > >> > > > > Thanks. > > >> > > > > > > >> > > > > On 4/3/19, 10:38 AM, "Andy Grove" <[email protected]> wrote: > > >> > > > > > > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL > > >> > > > > > > >> > > > > > > >> > > > > I have been able to run mvn verify and have also tested this > > >> > > > > RC > > >> > > > > against our internal systems, with no issue. > > >> > > > > > > >> > > > > +1 (non-binding) > > >> > > > > > > >> > > > > I have raised the issue about Hadoop-lzo, but that is > > >> > > > > present in > > >> > > the > > >> > > > > 1.10.1 release also. > > >> > > > > > > >> > > > > Andy. > > >> > > > > > > >> > > > > > > >> > > > > On 3/20/19, 7:50 AM, "Zoltan Ivanfi" > > >> > > > > <[email protected]> > > >> > > > wrote: > > >> > > > > > > >> > > > > CAUTION – UNVERIFIED EXTERNAL EMAIL > > >> > > > > > > >> > > > > > > >> > > > > +1 (binding) > > >> > > > > > > >> > > > > signature matches > > >> > > > > git hash matches the git tag > > >> > > > > source tarball matches the git tag > > >> > > > > unit tests and integration tests pass > > >> > > > > > > >> > > > > On Tue, Mar 19, 2019 at 3:00 PM Gabor Szadovszky < > > >> > > > [email protected]> > > >> > > > > wrote: > > >> > > > > > > >> > > > > > Dear Parquet Users and Developers, > > >> > > > > > > > >> > > > > > I propose the following RC to be released as the > > >> > > > > official > > >> > > > Apache > > >> > > > > > Parquet 1.11.0 release: > > >> > > > > > > > >> > > > > > The commit id is > > >> > > > > 9756b0e2b35437a09716707a81e2ac0c187112ed > > >> > > > > > * This corresponds to the tag: apache-parquet-1.11.0 > > >> > > > > > * > > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fparquet-mr%2Ftree%2F9756b0e2b35437a09716707a81e2ac0c187112ed&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=v6kHzIIpJQp%2Fq7fuR%2ByHVwGV7vZ7lUKupyqKZwmQeFI%3D&reserved=0 > > >> > > > > > > > >> > > > > > The release tarball, signature, and checksums are here: > > >> > > > > > * > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2Fapache-parquet-1.11.0-rc6%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=RVlztCju4ZoZz5vnF8f5RxE7kPmZoKMj3Ipo4x0Aj4k%3D&reserved=0 > > >> > > > > > > > >> > > > > > You can find the KEYS file here: > > >> > > > > > * > > >> > > > > > > >> > > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdist.apache.org%2Frepos%2Fdist%2Fdev%2Fparquet%2FKEYS&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342858310&sdata=8xPAIJ4EkJPXXxZ2hTH%2BuJOtCOrCspYXkjsl%2B44Jb20%3D&reserved=0 > > >> > > > > > > > >> > > > > > Binary artifacts are staged in Nexus here: > > >> > > > > > * > > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepository.apache.org%2Fcontent%2Fgroups%2Fstaging%2Forg%2Fapache%2Fparquet%2Fparquet%2F1.11.0%2F&data=02%7C01%7CAndy.Grove%40rms.com%7Cc45463142cfe401f12b708d6b852dac3%7Cd43fb8a804da4990b86cc4ba9ba4511f%7C0%7C0%7C636899063342868310&sdata=%2FIW9qYFnwvuL7QgkrYxX%2BZWJ1fcaZz%2Bq1tRJWKfQERU%3D&reserved=0 > > >> > > > > > > > >> > > > > > This release includes the following new features: > > >> > > > > > - PARQUET-1201 - Column indexes > > >> > > > > > - PARQUET-1253 - Support for new logical type > > >> > > > > representation > > >> > > > > > - PARQUET-1381 - Add merge blocks command to > > >> > > > > parquet-tools > > >> > > > > > - PARQUET-1388 - Nanosecond precision time and > > >> > > > > timestamp - > > >> > > > > parquet-mr > > >> > > > > > > > >> > > > > > The release also includes bug fixes, including: > > >> > > > > > - PARQUET-1472: Dictionary filter fails on > > >> > > > FIXED_LEN_BYTE_ARRAY. > > >> > > > > > - PARQUET-1510: Fix notEq for optional columns with > > >> > > > > null > > >> > > > values. > > >> > > > > > - PARQUET-1533: TestSnappy() throws OOM exception with > > >> > > > > Parquet-1485 change > > >> > > > > > - PARQUET-1531: Page row count limit causes empty > > >> > > > > pages to be > > >> > > > > written from > > >> > > > > > MessageColumnIO > > >> > > > > > - PARQUET-1544: Possible over-shading of modules > > >> > > > > > > > >> > > > > > The following change has been reverted so it is not > > >> > > > > part of > > >> > > any > > >> > > > > public > > >> > > > > > release: > > >> > > > > > - PARQUET-1381: Add merge blocks command to > > >> > > > > parquet-tools > > >> > > > > > > > >> > > > > > Please download, verify, and test. The vote will be > > >> > > > > open for > > >> > > at > > >> > > > > least 72 > > >> > > > > > hours. > > >> > > > > > > > >> > > > > > Thanks, > > >> > > > > > Gabor > > >> > > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > -- > > >> > > > Ryan Blue > > >> > > > Software Engineer > > >> > > > Netflix > > >> > > > > > >> > > > > >> > > > > >> > > -- > > >> > > Thanks & Best Regards > > >> > >
