Good idea from colm, actually. +1 for cancelling (non-binding). It's not affecting every project, but it does break projects. This should be enough to cancel this vote?
Am Di., 11. Feb. 2020 um 15:55 Uhr schrieb Colm O hEigeartaigh <[email protected]>: > > I wonder if we shouldn't cancel the vote and merge > https://github.com/apache/shiro/pull/201 before calling another vote? It's > blocking other projects (e.g. Apache Knox) into upgrading to Shiro 1.5.x. > > Colm. > > On Fri, Feb 7, 2020 at 5:14 PM Brian Demers <[email protected]> wrote: > > > I answered my own question, id.apache.org is the correct approach now: > > > > https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys > > > > On Fri, Feb 7, 2020 at 12:06 PM Brian Demers <[email protected]> > > wrote: > > > > > Agreed, I'll follow up with infra and figure out what the _recomended_ > > > approach is, maybe it's just a KEYS file in git, or something through > > > id.apache.org > > > > > > On Fri, Feb 7, 2020 at 11:00 AM Colm O hEigeartaigh <[email protected] > > > > > > wrote: > > > > > >> > > >> Thanks, that's working now. We will have to find a way of updating > > >> http://www.apache.org/dist/shiro/KEYS though, as otherwise users won't > > >> be able to reliably check the signature on the releases. > > >> > > >> +1 from me on the release. > > >> > > >> Colm. > > >> > > >> On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> > > >> wrote: > > >> > > >>> Hey sorry everyone, I should have checked that copy's expiration before > > >>> responding to Colm. > > >>> > > >>> repository.apache.org uses the following key servers: > > >>> https://keyserver.ubuntu.com/ > > >>> http://pool.sks-keyservers.net/ > > >>> (And checks the signatures when a staging repository is closed) > > >>> You can grab my key from either of those servers (which was previously > > >>> extended and is valid until 2021). > > >>> > > >>> I attempted to update the old SVN copy of `KEYS` but it looks like it > > is > > >>> read-only (now that we have moved to git). > > >>> > > >>> TL;DR: I shared the wrong link, use one of the key servers above. > > >>> > > >>> Sorry for the confusion, > > >>> -Brian > > >>> > > >>> On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected]> > > >>> wrote: > > >>> > > >>>> Good catch! > > >>>> > > >>>> Yes, this would change my vote as well to -1 until the key is > > extended. > > >>>> > > >>>> Non binding. > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, <[email protected]> > > >>>> wrote: > > >>>> > > >>>> > Hi Brian, > > >>>> > > > >>>> > Looks like this is the problem: > > >>>> > > > >>>> > gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' > > >>>> > gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT > > >>>> > gpg: using DSA key > > >>>> 9C1FC83FF3B877CDE53B337C525875B36BFC416A > > >>>> > gpg: Good signature from "Brian Demers <[email protected]>" > > >>>> [expired] > > >>>> > gpg: Note: This key has expired! > > >>>> > > > >>>> > "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] > > >>>> > sig 6BFC416A 2012-01-04 Brian Demers < > > >>>> [email protected]>" > > >>>> > > > >>>> > I think I'll have to -1 the vote as the signing keys have expired... > > >>>> > > > >>>> > Colm. > > >>>> > > > >>>> > On Thu, Feb 6, 2020 at 6:32 PM Brian Demers <[email protected] > > > > > >>>> > wrote: > > >>>> > > > >>>> > > > > >>>> > > Which key server are you using? > > >>>> > > > > >>>> > > My pub key should also be included here: > > >>>> > > https://svn.apache.org/repos/asf/shiro/KEYS > > >>>> > > > > >>>> > > > > >>>> > > On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < > > >>>> [email protected]> > > >>>> > > wrote: > > >>>> > > > > >>>> > >> Hi Brian, > > >>>> > >> > > >>>> > >> Just a query on the key you used to sign the release: > > >>>> > >> > > >>>> > >> > > >>>> > > > >>>> > > https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc > > >>>> > >> > > >>>> > >> When I try to verify with gpg I get: gpg: Can't check signature: > > No > > >>>> > public > > >>>> > >> key > > >>>> > >> > > >>>> > >> Contrast for example with the signature for 1.5.0: > > >>>> > >> > > >>>> > >> > > >>>> > > > >>>> > > https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc > > >>>> > >> > > >>>> > >> Colm. > > >>>> > >> > > >>>> > >> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood < > > >>>> [email protected]> > > >>>> > >> wrote: > > >>>> > >> > > >>>> > >> > +1 (binding) > > >>>> > >> > > > >>>> > >> > On Mon, Feb 3, 2020 at 1:37 PM Brian Demers < > > [email protected]> > > >>>> > wrote: > > >>>> > >> > > > >>>> > >> > > This is a call to vote in favor of releasing Apache Shiro > > >>>> version > > >>>> > >> 1.5.1. > > >>>> > >> > > > > >>>> > >> > > The 3 issues solved for 1.5.1: > > >>>> > >> > > > > >>>> > >> > > > > >>>> > >> > > > > >>>> > >> > > > >>>> > >> > > >>>> > > > >>>> > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC > > >>>> > >> > > > > >>>> > >> > > The source to be voted upon: > > >>>> > >> > > > > >>>> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 > > >>>> > >> > > (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 > > >>>> > >> > > < > > >>>> > >> > > > >>>> > >> > > >>>> > > > >>>> > > https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 > > >>>> > >> > > > > >>>> > >> > > ) > > >>>> > >> > > > > >>>> > >> > > Staging repo for binaries: > > >>>> > >> > > > > >>>> > >> > > >>>> > > https://repository.apache.org/content/repositories/orgapacheshiro-1025 > > >>>> > >> > > > > >>>> > >> > > Project website (just for informational purposes, not to be > > >>>> voted > > >>>> > >> upon): > > >>>> > >> > > http://shiro.apache.org/ > > >>>> > >> > > > > >>>> > >> > > Guide to testing staged releases: > > >>>> > >> > > > > >>>> > >> > > >>>> > > http://maven.apache.org/guides/development/guide-testing-releases.html > > >>>> > >> > > > > >>>> > >> > > Vote open for 72 hours. Please do examine the source and > > >>>> binaries > > >>>> > >> before > > >>>> > >> > > voting. > > >>>> > >> > > > > >>>> > >> > > [ ] +1 > > >>>> > >> > > [ ] +0 > > >>>> > >> > > [ ] -1 (please include reasoning) > > >>>> > >> > > > > >>>> > >> > > > >>>> > >> > > >>>> > > > > >>>> > > > >>>> > > >>> > >
