Yeah, good point especially as some other projects are waiting for this fix.
Regards JB > Le 11 févr. 2020 à 15:55, Colm O hEigeartaigh <[email protected]> a écrit : > > I wonder if we shouldn't cancel the vote and merge > https://github.com/apache/shiro/pull/201 before calling another vote? It's > blocking other projects (e.g. Apache Knox) into upgrading to Shiro 1.5.x. > > Colm. > > On Fri, Feb 7, 2020 at 5:14 PM Brian Demers <[email protected]> wrote: > >> I answered my own question, id.apache.org is the correct approach now: >> >> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys >> >> On Fri, Feb 7, 2020 at 12:06 PM Brian Demers <[email protected]> >> wrote: >> >>> Agreed, I'll follow up with infra and figure out what the _recomended_ >>> approach is, maybe it's just a KEYS file in git, or something through >>> id.apache.org >>> >>> On Fri, Feb 7, 2020 at 11:00 AM Colm O hEigeartaigh <[email protected] >>> >>> wrote: >>> >>>> >>>> Thanks, that's working now. We will have to find a way of updating >>>> http://www.apache.org/dist/shiro/KEYS though, as otherwise users won't >>>> be able to reliably check the signature on the releases. >>>> >>>> +1 from me on the release. >>>> >>>> Colm. >>>> >>>> On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> >>>> wrote: >>>> >>>>> Hey sorry everyone, I should have checked that copy's expiration before >>>>> responding to Colm. >>>>> >>>>> repository.apache.org uses the following key servers: >>>>> https://keyserver.ubuntu.com/ >>>>> http://pool.sks-keyservers.net/ >>>>> (And checks the signatures when a staging repository is closed) >>>>> You can grab my key from either of those servers (which was previously >>>>> extended and is valid until 2021). >>>>> >>>>> I attempted to update the old SVN copy of `KEYS` but it looks like it >> is >>>>> read-only (now that we have moved to git). >>>>> >>>>> TL;DR: I shared the wrong link, use one of the key servers above. >>>>> >>>>> Sorry for the confusion, >>>>> -Brian >>>>> >>>>> On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected]> >>>>> wrote: >>>>> >>>>>> Good catch! >>>>>> >>>>>> Yes, this would change my vote as well to -1 until the key is >> extended. >>>>>> >>>>>> Non binding. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Brian, >>>>>>> >>>>>>> Looks like this is the problem: >>>>>>> >>>>>>> gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' >>>>>>> gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT >>>>>>> gpg: using DSA key >>>>>> 9C1FC83FF3B877CDE53B337C525875B36BFC416A >>>>>>> gpg: Good signature from "Brian Demers <[email protected]>" >>>>>> [expired] >>>>>>> gpg: Note: This key has expired! >>>>>>> >>>>>>> "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] >>>>>>> sig 6BFC416A 2012-01-04 Brian Demers < >>>>>> [email protected]>" >>>>>>> >>>>>>> I think I'll have to -1 the vote as the signing keys have expired... >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Thu, Feb 6, 2020 at 6:32 PM Brian Demers <[email protected] >>> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> Which key server are you using? >>>>>>>> >>>>>>>> My pub key should also be included here: >>>>>>>> https://svn.apache.org/repos/asf/shiro/KEYS >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < >>>>>> [email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Brian, >>>>>>>>> >>>>>>>>> Just a query on the key you used to sign the release: >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >> https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc >>>>>>>>> >>>>>>>>> When I try to verify with gpg I get: gpg: Can't check signature: >> No >>>>>>> public >>>>>>>>> key >>>>>>>>> >>>>>>>>> Contrast for example with the signature for 1.5.0: >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >> https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc >>>>>>>>> >>>>>>>>> Colm. >>>>>>>>> >>>>>>>>> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood < >>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> +1 (binding) >>>>>>>>>> >>>>>>>>>> On Mon, Feb 3, 2020 at 1:37 PM Brian Demers < >> [email protected]> >>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> This is a call to vote in favor of releasing Apache Shiro >>>>>> version >>>>>>>>> 1.5.1. >>>>>>>>>>> >>>>>>>>>>> The 3 issues solved for 1.5.1: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >> https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC >>>>>>>>>>> >>>>>>>>>>> The source to be voted upon: >>>>>>>>>>> >>>>>> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 >>>>>>>>>>> (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >>>>>>>>>>> < >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >>>>>>>>>>> >>>>>>>>>>> ) >>>>>>>>>>> >>>>>>>>>>> Staging repo for binaries: >>>>>>>>>>> >>>>>>>>> >>>>>> >> https://repository.apache.org/content/repositories/orgapacheshiro-1025 >>>>>>>>>>> >>>>>>>>>>> Project website (just for informational purposes, not to be >>>>>> voted >>>>>>>>> upon): >>>>>>>>>>> http://shiro.apache.org/ >>>>>>>>>>> >>>>>>>>>>> Guide to testing staged releases: >>>>>>>>>>> >>>>>>>>> >>>>>> >> http://maven.apache.org/guides/development/guide-testing-releases.html >>>>>>>>>>> >>>>>>>>>>> Vote open for 72 hours. Please do examine the source and >>>>>> binaries >>>>>>>>> before >>>>>>>>>>> voting. >>>>>>>>>>> >>>>>>>>>>> [ ] +1 >>>>>>>>>>> [ ] +0 >>>>>>>>>>> [ ] -1 (please include reasoning) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>
