My question was actually regarding what exactly happened and why signatures were not reliably generated. The linked issue appears to have a failure. Was that failure why it was necessary to take manual steps? My concern is that there is a reliable process for builds that doesn't involve manual steps for important parts, like signatures.
On Tue, May 27, 2025 at 9:27 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > It was a mistake from my part while svn commit on dist due to > https://github.com/apache/polaris/issues/1676: i had to re-sign artifacts > for dist. > > With 1676 fixed we will be fine for next releases. > > Regards > JB > > Le mar. 27 mai 2025 à 17:44, Ryan Blue <rdb...@gmail.com> a écrit : > > > JB, what happened here? Is there a part of the process that is run by > hand > > rather than being done in a script? I can't think of what might have > caused > > this that went wrong with a script and we don't want future issues since > > this is likely to not be caught in the future. > > > > On Fri, May 23, 2025 at 10:37 PM Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > > > It seems the upload failed. Let me check. > > > > > > Le sam. 24 mai 2025 à 00:26, Russell Spitzer < > russell.spit...@gmail.com> > > a > > > écrit : > > > > > > > +1 (Binding) > > > > > > > > Checked all the normal things > > > > 1. Build / Test > > > > 2. Checksums > > > > 3. Smoke tested Server and Admin jars > > > > 4. GPG Signatures (Issues below) > > > > > > > > Only did a quick pass on Helm Licenses/Notice and Friends but all > look > > > good > > > > to me now. > > > > > > > > I do have one question because I seem to be having issues (if this > > isn't > > > > the case I may have to be -1). I seem to have > > > > problems checking the GPG signatures. > > > > > > > > The source gives me a valid signing > > > > > > > > All the other distribution files give me "Not a detached signature". > > > > > > > > ➜ 10.0-rc4 gpg --verify > > > > polaris-quarkus-admin-0.10.0-beta-incubating.tgz.asc > > > > gpg: Signature made Fri May 23 00:43:25 2025 CDT > > > > gpg: using RSA key > > > 1AA8CF92D409A73393D0B736BFF2EE42C8282E76 > > > > gpg: Good signature from "Jean-Baptiste Onofré <jbono...@apache.org > >" > > > > [unknown] > > > > gpg: WARNING: This key is not certified with a trusted signature! > > > > gpg: There is no indication that the signature belongs to > the > > > > owner. > > > > Primary key fingerprint: 1AA8 CF92 D409 A733 93D0 B736 BFF2 EE42 > C828 > > > 2E76 > > > > *gpg: WARNING: not a detached signature; file > > > > 'polaris-quarkus-admin-0.10.0-beta-incubating.tgz' was NOT verified!* > > > > > > > > On Fri, May 23, 2025 at 10:25 AM Jean-Baptiste Onofré < > j...@nanthrax.net > > > > > > > wrote: > > > > > > > > > Hi everyone > > > > > > > > > > I propose that we release the following RC (RC4) as the official > > > > > Apache Polaris 0.10.0-beta-incubating release. Compared to RC3, RC4 > > > fixes > > > > > the LICENSE/NOTICE in the Heml chart. > > > > > > > > > > * This corresponds to the tag: > > > apache-polaris-0.10.0-beta-incubating-rc4 > > > > > * > > > > > > > > > > > > > > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-0.10.0-beta-incubating-rc4 > > > > > * > > > > > > > > > > > > > > > > > > > > https://github.com/apache/polaris/tree/52e30f0378d6092880918b15a34a6c6b4d51c1f8 > > > > > > > > > > The release source distribution tarball, signature, and checksum > are > > > > > staged here: > > > > > * tgz: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/apache-polaris-0.10.0-beta-incubating.tar.gz > > > > > * sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/apache-polaris-0.10.0-beta-incubating.tar.gz.sha512 > > > > > * gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/apache-polaris-0.10.0-beta-incubating.tar.gz.asc > > > > > > > > > > You can find the KEYS file here: > > > > > * https://downloads.apache.org/incubator/polaris/KEYS > > > > > > > > > > For convenience, the following binary artifacts are available: > > > > > * Staging Maven repository > > > > > ** > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachepolaris-1019/ > > > > > NB: there's no uber/shade jar on the Staging Maven repository. > > > > > * Staging binary distributions (server and admin tool) tarball, > > > > > signature, and checksum: > > > > > ** Server: > > > > > *** tgz: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.tgz > > > > > *** tgz sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.tgz.sha512 > > > > > *** tgz gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.tgz.asc > > > > > *** zip: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.zip > > > > > *** zip sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.zip.sha512 > > > > > *** zip gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-server-0.10.0-beta-incubating.zip.asc > > > > > ** Admin Tool: > > > > > *** tgz: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.tgz > > > > > *** tgz sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.tgz.sha512 > > > > > *** tgz gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.tgz.asc > > > > > *** zip: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.zip > > > > > *** zip sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.zip.sha512 > > > > > *** zip gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/apache-polaris-0.10.0-beta-incubating/polaris-quarkus-admin-0.10.0-beta-incubating.zip.asc > > > > > * Staging Docker images: > > > > > ** Server: > > > > > > > > > > > > > > > > > > > > https://hub.docker.com/layers/apache/polaris/0.10.0-beta-incubating-rc4/images/sha256-6364581b39ccd1d1684044f03aebd9c3d37afbc45f9b00e610b1c2553c701b69 > > > > > * Helm charts: > > > > > ** tgz: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/apache-polaris-helm-chart-0.10.0-beta-incubating.tar.gz > > > > > ** tgz sha512: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/apache-polaris-helm-chart-0.10.0-beta-incubating.tar.gz.sha512 > > > > > ** tgz gpg: > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/apache-polaris-helm-chart-0.10.0-beta-incubating.tar.gz.asc > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > Please vote in the next 72 hours. > > > > > > > > > > [ ] +1 Release this as Apache polaris 0.10.0-beta-incubating > > > > > [ ] +0 > > > > > [ ] -1 Do not release this because... > > > > > > > > > > Only PPMC members and mentors have binding votes, but other > community > > > > > members are > > > > > encouraged to cast non-binding votes. This vote will pass if there > > are > > > > > 3 binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > > > NB: if this vote passes, a new vote has to be started on the > > Incubator > > > > > general mailing > > > > > list. > > > > > > > > > > Thanks > > > > > Regards > > > > > > > > > > JB > > > > > > > > > > > > > > >
