Hi all, I merged the SHIRO-742 on master, and will send the new vote on monday next week.
If someone want to include another PR, please let us know before ;) regards, François [email protected] Le 12/02/2020 à 19:31, Brian Demers a écrit : > This release vote has been canceled. > > We will include SHIRO-742 (from PR 201) and re-vote on 1.5.1. > > If you feel strongly about another issue going into this release, please > speak now! > > Thanks, everyone! > -Brian > > On Wed, Feb 12, 2020 at 1:25 PM Brian Demers <[email protected]> wrote: > >> Works for me. >> >> I'll cancel the vote >> >> On Tue, Feb 11, 2020 at 3:15 PM Jean-Baptiste Onofre <[email protected]> >> wrote: >> >>> Yeah, good point especially as some other projects are waiting for this >>> fix. >>> >>> Regards >>> JB >>> >>>> Le 11 févr. 2020 à 15:55, Colm O hEigeartaigh <[email protected]> a >>> écrit : >>>> I wonder if we shouldn't cancel the vote and merge >>>> https://github.com/apache/shiro/pull/201 before calling another vote? >>> It's >>>> blocking other projects (e.g. Apache Knox) into upgrading to Shiro >>> 1.5.x. >>>> Colm. >>>> >>>> On Fri, Feb 7, 2020 at 5:14 PM Brian Demers <[email protected]> >>> wrote: >>>>> I answered my own question, id.apache.org is the correct approach now: >>>>> >>>>> >>> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys >>>>> On Fri, Feb 7, 2020 at 12:06 PM Brian Demers <[email protected]> >>>>> wrote: >>>>> >>>>>> Agreed, I'll follow up with infra and figure out what the _recomended_ >>>>>> approach is, maybe it's just a KEYS file in git, or something through >>>>>> id.apache.org >>>>>> >>>>>> On Fri, Feb 7, 2020 at 11:00 AM Colm O hEigeartaigh < >>> [email protected] >>>>>> wrote: >>>>>> >>>>>>> Thanks, that's working now. We will have to find a way of updating >>>>>>> http://www.apache.org/dist/shiro/KEYS though, as otherwise users >>> won't >>>>>>> be able to reliably check the signature on the releases. >>>>>>> >>>>>>> +1 from me on the release. >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hey sorry everyone, I should have checked that copy's expiration >>> before >>>>>>>> responding to Colm. >>>>>>>> >>>>>>>> repository.apache.org uses the following key servers: >>>>>>>> https://keyserver.ubuntu.com/ >>>>>>>> http://pool.sks-keyservers.net/ >>>>>>>> (And checks the signatures when a staging repository is closed) >>>>>>>> You can grab my key from either of those servers (which was >>> previously >>>>>>>> extended and is valid until 2021). >>>>>>>> >>>>>>>> I attempted to update the old SVN copy of `KEYS` but it looks like >>> it >>>>> is >>>>>>>> read-only (now that we have moved to git). >>>>>>>> >>>>>>>> TL;DR: I shared the wrong link, use one of the key servers above. >>>>>>>> >>>>>>>> Sorry for the confusion, >>>>>>>> -Brian >>>>>>>> >>>>>>>> On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected] >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Good catch! >>>>>>>>> >>>>>>>>> Yes, this would change my vote as well to -1 until the key is >>>>> extended. >>>>>>>>> Non binding. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, < >>> [email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Brian, >>>>>>>>>> >>>>>>>>>> Looks like this is the problem: >>>>>>>>>> >>>>>>>>>> gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' >>>>>>>>>> gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT >>>>>>>>>> gpg: using DSA key >>>>>>>>> 9C1FC83FF3B877CDE53B337C525875B36BFC416A >>>>>>>>>> gpg: Good signature from "Brian Demers <[email protected]>" >>>>>>>>> [expired] >>>>>>>>>> gpg: Note: This key has expired! >>>>>>>>>> >>>>>>>>>> "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] >>>>>>>>>> sig 6BFC416A 2012-01-04 Brian Demers < >>>>>>>>> [email protected]>" >>>>>>>>>> I think I'll have to -1 the vote as the signing keys have >>> expired... >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Thu, Feb 6, 2020 at 6:32 PM Brian Demers < >>> [email protected] >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Which key server are you using? >>>>>>>>>>> >>>>>>>>>>> My pub key should also be included here: >>>>>>>>>>> https://svn.apache.org/repos/asf/shiro/KEYS >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < >>>>>>>>> [email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Brian, >>>>>>>>>>>> >>>>>>>>>>>> Just a query on the key you used to sign the release: >>>>>>>>>>>> >>>>>>>>>>>> >>> https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc >>>>>>>>>>>> When I try to verify with gpg I get: gpg: Can't check signature: >>>>> No >>>>>>>>>> public >>>>>>>>>>>> key >>>>>>>>>>>> >>>>>>>>>>>> Contrast for example with the signature for 1.5.0: >>>>>>>>>>>> >>>>>>>>>>>> >>> https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc >>>>>>>>>>>> Colm. >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood < >>>>>>>>> [email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> +1 (binding) >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Feb 3, 2020 at 1:37 PM Brian Demers < >>>>> [email protected]> >>>>>>>>>> wrote: >>>>>>>>>>>>>> This is a call to vote in favor of releasing Apache Shiro >>>>>>>>> version >>>>>>>>>>>> 1.5.1. >>>>>>>>>>>>>> The 3 issues solved for 1.5.1: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC >>>>>>>>>>>>>> The source to be voted upon: >>>>>>>>>>>>>> >>> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 >>>>>>>>>>>>>> (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >>>>>>>>>>>>>> < >>> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >>>>>>>>>>>>>> ) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Staging repo for binaries: >>>>>>>>>>>>>> >>>>> https://repository.apache.org/content/repositories/orgapacheshiro-1025 >>>>>>>>>>>>>> Project website (just for informational purposes, not to be >>>>>>>>> voted >>>>>>>>>>>> upon): >>>>>>>>>>>>>> http://shiro.apache.org/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> Guide to testing staged releases: >>>>>>>>>>>>>> >>>>> http://maven.apache.org/guides/development/guide-testing-releases.html >>>>>>>>>>>>>> Vote open for 72 hours. Please do examine the source and >>>>>>>>> binaries >>>>>>>>>>>> before >>>>>>>>>>>>>> voting. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [ ] +1 >>>>>>>>>>>>>> [ ] +0 >>>>>>>>>>>>>> [ ] -1 (please include reasoning) >>>>>>>>>>>>>> >>>
