Works for me. I'll cancel the vote
On Tue, Feb 11, 2020 at 3:15 PM Jean-Baptiste Onofre <[email protected]> wrote: > Yeah, good point especially as some other projects are waiting for this > fix. > > Regards > JB > > > Le 11 févr. 2020 à 15:55, Colm O hEigeartaigh <[email protected]> a > écrit : > > > > I wonder if we shouldn't cancel the vote and merge > > https://github.com/apache/shiro/pull/201 before calling another vote? > It's > > blocking other projects (e.g. Apache Knox) into upgrading to Shiro 1.5.x. > > > > Colm. > > > > On Fri, Feb 7, 2020 at 5:14 PM Brian Demers <[email protected]> > wrote: > > > >> I answered my own question, id.apache.org is the correct approach now: > >> > >> > https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys > >> > >> On Fri, Feb 7, 2020 at 12:06 PM Brian Demers <[email protected]> > >> wrote: > >> > >>> Agreed, I'll follow up with infra and figure out what the _recomended_ > >>> approach is, maybe it's just a KEYS file in git, or something through > >>> id.apache.org > >>> > >>> On Fri, Feb 7, 2020 at 11:00 AM Colm O hEigeartaigh < > [email protected] > >>> > >>> wrote: > >>> > >>>> > >>>> Thanks, that's working now. We will have to find a way of updating > >>>> http://www.apache.org/dist/shiro/KEYS though, as otherwise users > won't > >>>> be able to reliably check the signature on the releases. > >>>> > >>>> +1 from me on the release. > >>>> > >>>> Colm. > >>>> > >>>> On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> > >>>> wrote: > >>>> > >>>>> Hey sorry everyone, I should have checked that copy's expiration > before > >>>>> responding to Colm. > >>>>> > >>>>> repository.apache.org uses the following key servers: > >>>>> https://keyserver.ubuntu.com/ > >>>>> http://pool.sks-keyservers.net/ > >>>>> (And checks the signatures when a staging repository is closed) > >>>>> You can grab my key from either of those servers (which was > previously > >>>>> extended and is valid until 2021). > >>>>> > >>>>> I attempted to update the old SVN copy of `KEYS` but it looks like it > >> is > >>>>> read-only (now that we have moved to git). > >>>>> > >>>>> TL;DR: I shared the wrong link, use one of the key servers above. > >>>>> > >>>>> Sorry for the confusion, > >>>>> -Brian > >>>>> > >>>>> On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected]> > >>>>> wrote: > >>>>> > >>>>>> Good catch! > >>>>>> > >>>>>> Yes, this would change my vote as well to -1 until the key is > >> extended. > >>>>>> > >>>>>> Non binding. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, <[email protected] > > > >>>>>> wrote: > >>>>>> > >>>>>>> Hi Brian, > >>>>>>> > >>>>>>> Looks like this is the problem: > >>>>>>> > >>>>>>> gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' > >>>>>>> gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT > >>>>>>> gpg: using DSA key > >>>>>> 9C1FC83FF3B877CDE53B337C525875B36BFC416A > >>>>>>> gpg: Good signature from "Brian Demers <[email protected]>" > >>>>>> [expired] > >>>>>>> gpg: Note: This key has expired! > >>>>>>> > >>>>>>> "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] > >>>>>>> sig 6BFC416A 2012-01-04 Brian Demers < > >>>>>> [email protected]>" > >>>>>>> > >>>>>>> I think I'll have to -1 the vote as the signing keys have > expired... > >>>>>>> > >>>>>>> Colm. > >>>>>>> > >>>>>>> On Thu, Feb 6, 2020 at 6:32 PM Brian Demers < > [email protected] > >>> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> > >>>>>>>> Which key server are you using? > >>>>>>>> > >>>>>>>> My pub key should also be included here: > >>>>>>>> https://svn.apache.org/repos/asf/shiro/KEYS > >>>>>>>> > >>>>>>>> > >>>>>>>> On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < > >>>>>> [email protected]> > >>>>>>>> wrote: > >>>>>>>> > >>>>>>>>> Hi Brian, > >>>>>>>>> > >>>>>>>>> Just a query on the key you used to sign the release: > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >> > https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc > >>>>>>>>> > >>>>>>>>> When I try to verify with gpg I get: gpg: Can't check signature: > >> No > >>>>>>> public > >>>>>>>>> key > >>>>>>>>> > >>>>>>>>> Contrast for example with the signature for 1.5.0: > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >> > https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc > >>>>>>>>> > >>>>>>>>> Colm. > >>>>>>>>> > >>>>>>>>> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood < > >>>>>> [email protected]> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> +1 (binding) > >>>>>>>>>> > >>>>>>>>>> On Mon, Feb 3, 2020 at 1:37 PM Brian Demers < > >> [email protected]> > >>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> This is a call to vote in favor of releasing Apache Shiro > >>>>>> version > >>>>>>>>> 1.5.1. > >>>>>>>>>>> > >>>>>>>>>>> The 3 issues solved for 1.5.1: > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC > >>>>>>>>>>> > >>>>>>>>>>> The source to be voted upon: > >>>>>>>>>>> > >>>>>> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 > >>>>>>>>>>> (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 > >>>>>>>>>>> < > >>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >> > https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 > >>>>>>>>>>> > >>>>>>>>>>> ) > >>>>>>>>>>> > >>>>>>>>>>> Staging repo for binaries: > >>>>>>>>>>> > >>>>>>>>> > >>>>>> > >> https://repository.apache.org/content/repositories/orgapacheshiro-1025 > >>>>>>>>>>> > >>>>>>>>>>> Project website (just for informational purposes, not to be > >>>>>> voted > >>>>>>>>> upon): > >>>>>>>>>>> http://shiro.apache.org/ > >>>>>>>>>>> > >>>>>>>>>>> Guide to testing staged releases: > >>>>>>>>>>> > >>>>>>>>> > >>>>>> > >> http://maven.apache.org/guides/development/guide-testing-releases.html > >>>>>>>>>>> > >>>>>>>>>>> Vote open for 72 hours. Please do examine the source and > >>>>>> binaries > >>>>>>>>> before > >>>>>>>>>>> voting. > >>>>>>>>>>> > >>>>>>>>>>> [ ] +1 > >>>>>>>>>>> [ ] +0 > >>>>>>>>>>> [ ] -1 (please include reasoning) > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >> > >
