Henk kindly pointed me to the KEYS file that I had missed, thank you. So, +1. I checked the signatures, the LICENSE, NOTICE, and DISCLAIMER files.
Alan. On Tue, Mar 13, 2018 at 10:42 AM, Alan Gates <alanfga...@gmail.com> wrote: > Per https://www.apache.org/dev/release-distribution#sigs-and-sums > correctly, the KEYS file is required, hence my comment. > > Alan. > > On Tue, Mar 13, 2018 at 10:34 AM, Henk P. Penning <penn...@uu.nl> wrote: > >> On Tue, 13 Mar 2018, Alan Gates wrote: >> >> Date: Tue, 13 Mar 2018 18:04:08 +0100 >>> From: Alan Gates <alanfga...@gmail.com> >>> To: general@incubator.apache.org >>> Subject: Re: [VOTE]: Apache HAWQ 2.3.0.0-incubating Release >>> >>> I can't find a KEYS file anywhere in HAWQ to check the key >>> against. There is also no name associated with the key, so I'm not >>> clear how to check the signature. >>> >> >> Actually, you don't need a KEYS file to verify a .asc : >> >> % gpg apache-hawq-src-2.3.0.0-incubating.tar.gz.asc >> gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET >> gpg: using RSA key CE60F90D1333092A >> gpg: Can't check signature: No public key >> >> No public key ; so, fetch it : >> >> % gpg --keyserver pgp.surfnet.nl --recv-key CE60F90D1333092A >> gpg: requesting key CE60F90D1333092A from hkp server pgp.surfnet.nl >> gpg: key CE60F90D1333092A: public key "Yi Jin <y...@apache.org>" >> imported >> gpg: Total number processed: 1 >> gpg: imported: 1 (RSA: 1) >> >> ... and --verify : >> >> % gpg --verify apache-hawq-src-2.3.0.0-incubating.tar.gz.asc >> gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET >> gpg: using RSA key CE60F90D1333092A >> gpg: Good signature from "Yi Jin <y...@apache.org>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 41B0 0770 75DF DAFC F809 9A91 CE60 F90D 1333 >> 092A >> >> % gpg --verify apache-hawq-rpm-2.3.0.0-incubating-rc2.tar.gz.asc >> gpg: Signature made Tue 27 Feb 2018 04:38:53 AM CET >> gpg: using RSA key CE60F90D1333092A >> gpg: Good signature from "Yi Jin <y...@apache.org>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 41B0 0770 75DF DAFC F809 9A91 CE60 F90D 1333 >> 092A >> >> Note : >> - Always use long (16-hex) key-id's, because short (8-hex) >> key-id's often point (also) to fake keys. >> In your $HOME/.gnupg/gpg.conf configure : keyid-format long >> - To check that CE60F90D1333092A is authorised to sign the artifacts, >> is another matter. >> >> IMHO, KEYS files serve no purpose. >> >> Regards, >> >> Henk Penning >> >> ------------------------------------------------------------ _ >> Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ >> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ >> Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/ >> http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/ >> >> On Mon, Mar 12, 2018 at 7:56 PM, Roman Shaposhnik <ro...@shaposhnik.org> >>> wrote: >>> >>> +1 (binding) >>>> >>>> * checked sigs and checksums >>>> * checked licenses >>>> * checked for archive matching git tag >>>> >>>> Thanks, >>>> Roman. >>>> >>>> >>>> On Mon, Mar 12, 2018 at 12:21 PM, Konstantin Boudnik <c...@apache.org> >>>> wrote: >>>> >>>>> +1 [biding] >>>>> >>>>> - signature check [ok] >>>>> - checksum check [ok] >>>>> - licenses check (RAT) [ok] >>>>> >>>>> I haven't tried to build it because of the complexity of the build >>>>> process and multiplicity of the environment configurations. To lower >>>>> the entry barrier, I would recommend the community to think how to >>>>> wrap these steps into the build system. You can go as far as to >>>>> provide an "official" toolchain for the project. In Bigtop, we even >>>>> provide official Docker containers were people can start working with >>>>> the project in under 2 minutes and without any need for additional >>>>> error prone configuration steps. >>>>> -- >>>>> With regards, >>>>> Konstantin (Cos) Boudnik >>>>> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622 >>>>> >>>>> Disclaimer: Opinions expressed in this email are those of the author, >>>>> and do not necessarily represent the views of any company the author >>>>> might be affiliated with at the moment of writing. >>>>> >>>>> >>>>> On Tue, Mar 6, 2018 at 6:56 PM, Yi JIN <y...@apache.org> wrote: >>>>> >>>>>> Hi IPMC members, >>>>>> >>>>>> The PPMC vote for the Apache HAWQ 2.3.0.0-incubating release has >>>>>> passed. >>>>>> So I request IPMC now to vote on this release candidate. Thank you! >>>>>> >>>>>> The release page is here: >>>>>> https://cwiki.apache.org/confluence/display/HAWQ/Apache+HAWQ+2.3.0.0- >>>>>> >>>>> incubating+Release >>>> >>>>> >>>>>> The PPMC vote thread is located here: >>>>>> https://lists.apache.org/thread.html/fa5b41cd7461bd729146e10d8f7a54 >>>>>> >>>>> 156c818f93e5a1160c42e76c79@%3Cdev.hawq.apache.org%3E >>>> >>>>> >>>>>> The artifacts can be downloaded here: >>>>>> https://dist.apache.org/repos/dist/dev/incubator/hawq/2.3.0. >>>>>> >>>>> 0-incubating.RC2/ >>>> >>>>> The artifacts have been signed with Key : CE60F90D1333092A >>>>>> >>>>>> All JIRAs completed for this release are tagged with 'FixVersion >>>>>> =2.3.0.0-incubating' >>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa? >>>>>> >>>>> version=12340262&styleName=Html&projectId=12318826 >>>> >>>>> >>>>>> Please vote accordingly: >>>>>> [ ] +1, accept as the official Apache HAWQ 2.3.0.0-incubating release >>>>>> [ ] -1, do not accept as the official Apache HAWQ 2.3.0.0-incubating >>>>>> >>>>> release >>>> >>>>> because... >>>>>> >>>>>> The vote will run for at least 72 hours. >>>>>> >>>>>> Best regards, >>>>>> Yi Jin (yjin) >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>>> >>>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >>>> For additional commands, e-mail: general-h...@incubator.apache.org >>>> >>>> >>>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> > >
