This release vote has been canceled. We will include SHIRO-742 (from PR 201) and re-vote on 1.5.1.
If you feel strongly about another issue going into this release, please speak now! Thanks, everyone! -Brian On Wed, Feb 12, 2020 at 1:25 PM Brian Demers <[email protected]> wrote: > Works for me. > > I'll cancel the vote > > On Tue, Feb 11, 2020 at 3:15 PM Jean-Baptiste Onofre <[email protected]> > wrote: > >> Yeah, good point especially as some other projects are waiting for this >> fix. >> >> Regards >> JB >> >> > Le 11 févr. 2020 à 15:55, Colm O hEigeartaigh <[email protected]> a >> écrit : >> > >> > I wonder if we shouldn't cancel the vote and merge >> > https://github.com/apache/shiro/pull/201 before calling another vote? >> It's >> > blocking other projects (e.g. Apache Knox) into upgrading to Shiro >> 1.5.x. >> > >> > Colm. >> > >> > On Fri, Feb 7, 2020 at 5:14 PM Brian Demers <[email protected]> >> wrote: >> > >> >> I answered my own question, id.apache.org is the correct approach now: >> >> >> >> >> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys >> >> >> >> On Fri, Feb 7, 2020 at 12:06 PM Brian Demers <[email protected]> >> >> wrote: >> >> >> >>> Agreed, I'll follow up with infra and figure out what the _recomended_ >> >>> approach is, maybe it's just a KEYS file in git, or something through >> >>> id.apache.org >> >>> >> >>> On Fri, Feb 7, 2020 at 11:00 AM Colm O hEigeartaigh < >> [email protected] >> >>> >> >>> wrote: >> >>> >> >>>> >> >>>> Thanks, that's working now. We will have to find a way of updating >> >>>> http://www.apache.org/dist/shiro/KEYS though, as otherwise users >> won't >> >>>> be able to reliably check the signature on the releases. >> >>>> >> >>>> +1 from me on the release. >> >>>> >> >>>> Colm. >> >>>> >> >>>> On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> >> >>>> wrote: >> >>>> >> >>>>> Hey sorry everyone, I should have checked that copy's expiration >> before >> >>>>> responding to Colm. >> >>>>> >> >>>>> repository.apache.org uses the following key servers: >> >>>>> https://keyserver.ubuntu.com/ >> >>>>> http://pool.sks-keyservers.net/ >> >>>>> (And checks the signatures when a staging repository is closed) >> >>>>> You can grab my key from either of those servers (which was >> previously >> >>>>> extended and is valid until 2021). >> >>>>> >> >>>>> I attempted to update the old SVN copy of `KEYS` but it looks like >> it >> >> is >> >>>>> read-only (now that we have moved to git). >> >>>>> >> >>>>> TL;DR: I shared the wrong link, use one of the key servers above. >> >>>>> >> >>>>> Sorry for the confusion, >> >>>>> -Brian >> >>>>> >> >>>>> On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected] >> > >> >>>>> wrote: >> >>>>> >> >>>>>> Good catch! >> >>>>>> >> >>>>>> Yes, this would change my vote as well to -1 until the key is >> >> extended. >> >>>>>> >> >>>>>> Non binding. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, < >> [email protected]> >> >>>>>> wrote: >> >>>>>> >> >>>>>>> Hi Brian, >> >>>>>>> >> >>>>>>> Looks like this is the problem: >> >>>>>>> >> >>>>>>> gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' >> >>>>>>> gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT >> >>>>>>> gpg: using DSA key >> >>>>>> 9C1FC83FF3B877CDE53B337C525875B36BFC416A >> >>>>>>> gpg: Good signature from "Brian Demers <[email protected]>" >> >>>>>> [expired] >> >>>>>>> gpg: Note: This key has expired! >> >>>>>>> >> >>>>>>> "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] >> >>>>>>> sig 6BFC416A 2012-01-04 Brian Demers < >> >>>>>> [email protected]>" >> >>>>>>> >> >>>>>>> I think I'll have to -1 the vote as the signing keys have >> expired... >> >>>>>>> >> >>>>>>> Colm. >> >>>>>>> >> >>>>>>> On Thu, Feb 6, 2020 at 6:32 PM Brian Demers < >> [email protected] >> >>> >> >>>>>>> wrote: >> >>>>>>> >> >>>>>>>> >> >>>>>>>> Which key server are you using? >> >>>>>>>> >> >>>>>>>> My pub key should also be included here: >> >>>>>>>> https://svn.apache.org/repos/asf/shiro/KEYS >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < >> >>>>>> [email protected]> >> >>>>>>>> wrote: >> >>>>>>>> >> >>>>>>>>> Hi Brian, >> >>>>>>>>> >> >>>>>>>>> Just a query on the key you used to sign the release: >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>>> >> >> >> https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc >> >>>>>>>>> >> >>>>>>>>> When I try to verify with gpg I get: gpg: Can't check signature: >> >> No >> >>>>>>> public >> >>>>>>>>> key >> >>>>>>>>> >> >>>>>>>>> Contrast for example with the signature for 1.5.0: >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>>> >> >> >> https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc >> >>>>>>>>> >> >>>>>>>>> Colm. >> >>>>>>>>> >> >>>>>>>>> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood < >> >>>>>> [email protected]> >> >>>>>>>>> wrote: >> >>>>>>>>> >> >>>>>>>>>> +1 (binding) >> >>>>>>>>>> >> >>>>>>>>>> On Mon, Feb 3, 2020 at 1:37 PM Brian Demers < >> >> [email protected]> >> >>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>> This is a call to vote in favor of releasing Apache Shiro >> >>>>>> version >> >>>>>>>>> 1.5.1. >> >>>>>>>>>>> >> >>>>>>>>>>> The 3 issues solved for 1.5.1: >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>>> >> >> >> https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC >> >>>>>>>>>>> >> >>>>>>>>>>> The source to be voted upon: >> >>>>>>>>>>> >> >>>>>> >> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 >> >>>>>>>>>>> (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >> >>>>>>>>>>> < >> >>>>>>>>>> >> >>>>>>>>> >> >>>>>>> >> >>>>>> >> >> >> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >> >>>>>>>>>>> >> >>>>>>>>>>> ) >> >>>>>>>>>>> >> >>>>>>>>>>> Staging repo for binaries: >> >>>>>>>>>>> >> >>>>>>>>> >> >>>>>> >> >> https://repository.apache.org/content/repositories/orgapacheshiro-1025 >> >>>>>>>>>>> >> >>>>>>>>>>> Project website (just for informational purposes, not to be >> >>>>>> voted >> >>>>>>>>> upon): >> >>>>>>>>>>> http://shiro.apache.org/ >> >>>>>>>>>>> >> >>>>>>>>>>> Guide to testing staged releases: >> >>>>>>>>>>> >> >>>>>>>>> >> >>>>>> >> >> http://maven.apache.org/guides/development/guide-testing-releases.html >> >>>>>>>>>>> >> >>>>>>>>>>> Vote open for 72 hours. Please do examine the source and >> >>>>>> binaries >> >>>>>>>>> before >> >>>>>>>>>>> voting. >> >>>>>>>>>>> >> >>>>>>>>>>> [ ] +1 >> >>>>>>>>>>> [ ] +0 >> >>>>>>>>>>> [ ] -1 (please include reasoning) >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>> >> >>>>>>>> >> >>>>>>> >> >>>>>> >> >>>>> >> >> >> >>
