Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-11 Thread Geertjan Wielenga 
Yes, sounds like the wrong download is being pointed to.

Gj

On Sunday, March 11, 2018, John McDonnell  wrote:

> So the website should be updated and the netcat program notified to use the
> correct download.
>
> I can send out the netcat notification in an hour or so(travelling at the
> moment) if needed but I don't have the website checked out yet to update
> that.
>
> John
>
> On 11 Mar 2018 19:52, "Jan Lahoda"  wrote:
>
> > On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold <
> emilian.b...@protonmail.ch>
> > wrote:
> >
> > > I can't find a document explaining what dist.apache.org is.
> > >
> >
> > My understanding is that there is a staging area there ("dev") and a
> > release area ("release"). I guess we shouldn't be pointing at the staging
> > area except for release votes (and, actually, my understanding is that we
> > should remove the stuff from the staging area when the vote ends one way
> or
> > another, although we didn't do that yet for this release). One important
> > thing is that:
> > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip.md5
> >
> > Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta
> > release is RC3:
> > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> >
> > So the RC1 is different from the released package. Anyway, unless someone
> > else does it, I'll remove the bits from the staging area sometime soon.
> >
> > Jan
> >
> >
> > >
> > > It seems to be the "staging area" for the binaries.
> > >
> > > My guess is that somebody fumbled a command from this huge list of
> steps
> > > https://cwiki.apache.org/confluence/display/NETBEANS/
> > > Apache+NetBeans+Release+README
> > >
> > > I don't believe we need to involve the security team until we dismiss a
> > > typo.
> > >
> > > --emi
> > >
> > > ‐‐‐ Original Message ‐‐‐
> > >
> > > On 8 March 2018 11:57 PM, Antonio  wrote:
> > >
> > > > Hi all,
> > > >
> > > > José Rodriguez from the users mailing list notes that the
> > > >
> > > > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> > > >
> > > > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have
> different
> > > MD5
> > > >
> > > > signatures.
> > > >
> > > > A quick review shows that the files are indeed different:
> > > >
> > > > "dist" zip file (\[1\])::
> > > >
> > > > -   File timestamps 2018 jan 10
> > > > -   No "licenses" directory
> > > > -   LICENSE file is 57kb
> > > >
> > > > "eu zip" file (\[2\]) also downloaded from the Apache mirror
> > system::
> > > >
> > > > -   File timestamps 2018 feb 02
> > > > -   "licenses" directory
> > > > -   LICENSE file is 245,1 kb
> > > >
> > > > I think the one being distributed through the mirror system is
> the
> > > >
> > > > proper one, isn't it? Also I thought that the file hosted at
> "dist"
> > > was
> > > >
> > > > automatically distributed to mirrors, wasn't it?
> > > >
> > > > I don't think we should raise a ticket against Apache security,
> > > should we?
> > > >
> > > > Cheers,
> > > >
> > > > Antonio
> > > >
> > > > \[1\]
> > > >
> > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > > incubating-netbeans-java/incubating-9.0-beta/
> > incubating-netbeans-java-9.0-
> > > beta-bin.zip
> > > >
> > > > \[2\]
> > > >
> > > > http://www-eu.apache.org/dist/incubator/netbeans/incubating-
> > > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > > 9.0-beta-bin.zip
> > > >
> > > > On 08/03/18 20:21, John McDonnell wrote:
> > > >
> > > >
> > > > > Apologies for the spam, cross posting to dev.
> > > > >
> > > > > @Antonio, do you know if the link on the website for NetBeans 9.0
> > Beta
> > > > >
> > > > > is correct?  Looking at this thread, the signature doesn't match
> the
> > > > >
> > > > > RC3.0 thread we voted on.  If we have a small typo we should try to
> > > > >
> > > > > catch this early in the NetCat phase.
> > > > >
> > > > > Regards
> > > > >
> > > > > John
> > > > >
> > > > > On 8 March 2018 at 07:47, John McDonnell  > > > >
> > > > > mailto:mcdonnell.j...@gmail.com\> wrote:
> > > > >
> > > > > Hi Leo,
> > > > >
> > > > > I didn't import the keys, as I had previously done this step...
> > > > >
> > > > > But
> > > > >
> > > > > I'm looking at a different file then you:
> > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > > incubating-netbeans-java/incubating-9.0-beta/
> > incubating-netbeans-java-9.0-
> > > beta-bin.zip(you)
> > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > > incubating-netbeans-java-9.0-beta-bin.zip(me)
> > > > >
> > > > > @Geertjan, the vote thread you referenced earlier, we voted on
> > the
>

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-11 Thread John McDonnell 
So the website should be updated and the netcat program notified to use the
correct download.

I can send out the netcat notification in an hour or so(travelling at the
moment) if needed but I don't have the website checked out yet to update
that.

John

On 11 Mar 2018 19:52, "Jan Lahoda"  wrote:

> On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold 
> wrote:
>
> > I can't find a document explaining what dist.apache.org is.
> >
>
> My understanding is that there is a staging area there ("dev") and a
> release area ("release"). I guess we shouldn't be pointing at the staging
> area except for release votes (and, actually, my understanding is that we
> should remove the stuff from the staging area when the vote ends one way or
> another, although we didn't do that yet for this release). One important
> thing is that:
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip.md5
>
> Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta
> release is RC3:
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
>
> So the RC1 is different from the released package. Anyway, unless someone
> else does it, I'll remove the bits from the staging area sometime soon.
>
> Jan
>
>
> >
> > It seems to be the "staging area" for the binaries.
> >
> > My guess is that somebody fumbled a command from this huge list of steps
> > https://cwiki.apache.org/confluence/display/NETBEANS/
> > Apache+NetBeans+Release+README
> >
> > I don't believe we need to involve the security team until we dismiss a
> > typo.
> >
> > --emi
> >
> > ‐‐‐ Original Message ‐‐‐
> >
> > On 8 March 2018 11:57 PM, Antonio  wrote:
> >
> > > Hi all,
> > >
> > > José Rodriguez from the users mailing list notes that the
> > >
> > > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> > >
> > > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different
> > MD5
> > >
> > > signatures.
> > >
> > > A quick review shows that the files are indeed different:
> > >
> > > "dist" zip file (\[1\])::
> > >
> > > -   File timestamps 2018 jan 10
> > > -   No "licenses" directory
> > > -   LICENSE file is 57kb
> > >
> > > "eu zip" file (\[2\]) also downloaded from the Apache mirror
> system::
> > >
> > > -   File timestamps 2018 feb 02
> > > -   "licenses" directory
> > > -   LICENSE file is 245,1 kb
> > >
> > > I think the one being distributed through the mirror system is the
> > >
> > > proper one, isn't it? Also I thought that the file hosted at "dist"
> > was
> > >
> > > automatically distributed to mirrors, wasn't it?
> > >
> > > I don't think we should raise a ticket against Apache security,
> > should we?
> > >
> > > Cheers,
> > >
> > > Antonio
> > >
> > > \[1\]
> > >
> > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip
> > >
> > > \[2\]
> > >
> > > http://www-eu.apache.org/dist/incubator/netbeans/incubating-
> > netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> > 9.0-beta-bin.zip
> > >
> > > On 08/03/18 20:21, John McDonnell wrote:
> > >
> > >
> > > > Apologies for the spam, cross posting to dev.
> > > >
> > > > @Antonio, do you know if the link on the website for NetBeans 9.0
> Beta
> > > >
> > > > is correct?  Looking at this thread, the signature doesn't match the
> > > >
> > > > RC3.0 thread we voted on.  If we have a small typo we should try to
> > > >
> > > > catch this early in the NetCat phase.
> > > >
> > > > Regards
> > > >
> > > > John
> > > >
> > > > On 8 March 2018 at 07:47, John McDonnell  > > >
> > > > mailto:mcdonnell.j...@gmail.com\> wrote:
> > > >
> > > > Hi Leo,
> > > >
> > > > I didn't import the keys, as I had previously done this step...
> > > >
> > > > But
> > > >
> > > > I'm looking at a different file then you:
> > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-
> > beta-bin.zip(you)
> > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> > incubating-netbeans-java/incubating-9.0-beta-rc3/
> > incubating-netbeans-java-9.0-beta-bin.zip(me)
> > > >
> > > > @Geertjan, the vote thread you referenced earlier, we voted on
> the
> > > > link I used - and got a good signature, so I think that's okay.
> > But
> > > > the website points to a different URL (The one Leo checked).  I
> > > > suspect that the website is using the wrong URL, but before I
> jump
> > > > to that conclusion, just curious after the successful vote would
> > you
> > > > have moved theartefact to the location on the website?
> > > >
> > > > Regards
> > > >
> > > > John

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-11 Thread Jan Lahoda 
On Sun, Mar 11, 2018 at 8:20 PM, Emilian Bold 
wrote:

> I can't find a document explaining what dist.apache.org is.
>

My understanding is that there is a staging area there ("dev") and a
release area ("release"). I guess we shouldn't be pointing at the staging
area except for release votes (and, actually, my understanding is that we
should remove the stuff from the staging area when the vote ends one way or
another, although we didn't do that yet for this release). One important
thing is that:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.md5

Is effectively 9.0 beta RC1, which didn't get released. The 9.0 beta
release is RC3:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/

So the RC1 is different from the released package. Anyway, unless someone
else does it, I'll remove the bits from the staging area sometime soon.

Jan


>
> It seems to be the "staging area" for the binaries.
>
> My guess is that somebody fumbled a command from this huge list of steps
> https://cwiki.apache.org/confluence/display/NETBEANS/
> Apache+NetBeans+Release+README
>
> I don't believe we need to involve the security team until we dismiss a
> typo.
>
> --emi
>
> ‐‐‐ Original Message ‐‐‐
>
> On 8 March 2018 11:57 PM, Antonio  wrote:
>
> > Hi all,
> >
> > José Rodriguez from the users mailing list notes that the
> >
> > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> >
> > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different
> MD5
> >
> > signatures.
> >
> > A quick review shows that the files are indeed different:
> >
> > "dist" zip file (\[1\])::
> >
> > -   File timestamps 2018 jan 10
> > -   No "licenses" directory
> > -   LICENSE file is 57kb
> >
> > "eu zip" file (\[2\]) also downloaded from the Apache mirror system::
> >
> > -   File timestamps 2018 feb 02
> > -   "licenses" directory
> > -   LICENSE file is 245,1 kb
> >
> > I think the one being distributed through the mirror system is the
> >
> > proper one, isn't it? Also I thought that the file hosted at "dist"
> was
> >
> > automatically distributed to mirrors, wasn't it?
> >
> > I don't think we should raise a ticket against Apache security,
> should we?
> >
> > Cheers,
> >
> > Antonio
> >
> > \[1\]
> >
> > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip
> >
> > \[2\]
> >
> > http://www-eu.apache.org/dist/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip
> >
> > On 08/03/18 20:21, John McDonnell wrote:
> >
> >
> > > Apologies for the spam, cross posting to dev.
> > >
> > > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta
> > >
> > > is correct?  Looking at this thread, the signature doesn't match the
> > >
> > > RC3.0 thread we voted on.  If we have a small typo we should try to
> > >
> > > catch this early in the NetCat phase.
> > >
> > > Regards
> > >
> > > John
> > >
> > > On 8 March 2018 at 07:47, John McDonnell  > >
> > > mailto:mcdonnell.j...@gmail.com\> wrote:
> > >
> > > Hi Leo,
> > >
> > > I didn't import the keys, as I had previously done this step...
> > >
> > > But
> > >
> > > I'm looking at a different file then you:
> > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip(you)
> > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta-rc3/
> incubating-netbeans-java-9.0-beta-bin.zip(me)
> > >
> > > @Geertjan, the vote thread you referenced earlier, we voted on the
> > > link I used - and got a good signature, so I think that's okay.
> But
> > > the website points to a different URL (The one Leo checked).  I
> > > suspect that the website is using the wrong URL, but before I jump
> > > to that conclusion, just curious after the successful vote would
> you
> > > have moved theartefact to the location on the website?
> > >
> > > Regards
> > >
> > > John
> > >
> > >
> > > On 8 March 2018 at 01:50, Leo Donahue  > > > wrote:
> > >
> > > Hi John,
> > >
> > > I noticed that you didn't issue:  gpg --import KEYS
> > >
> > > I tried again, using wget to download the binary zip file, same
> > > result.  I have also tried different mirrors.  I guess I will
> > > just build from source, I was just being lazy.
> > >
> > > (The --list-keys command illustrates I don't already have the
> > > KEYS file imported)
> > >
> > > leo@vmw01:~$ *gpg

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-11 Thread Emilian Bold 
I can't find a document explaining what dist.apache.org is.

It seems to be the "staging area" for the binaries.

My guess is that somebody fumbled a command from this huge list of steps 
https://cwiki.apache.org/confluence/display/NETBEANS/Apache+NetBeans+Release+README

I don't believe we need to involve the security team until we dismiss a typo.

--emi

‐‐‐ Original Message ‐‐‐

On 8 March 2018 11:57 PM, Antonio  wrote:

> Hi all,
> 
> José Rodriguez from the users mailing list notes that the
> 
> "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\]
> 
> (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different MD5
> 
> signatures.
> 
> A quick review shows that the files are indeed different:
> 
> "dist" zip file (\[1\])::
> 
> -   File timestamps 2018 jan 10
> -   No "licenses" directory
> -   LICENSE file is 57kb
> 
> "eu zip" file (\[2\]) also downloaded from the Apache mirror system::
> 
> -   File timestamps 2018 feb 02
> -   "licenses" directory
> -   LICENSE file is 245,1 kb
> 
> I think the one being distributed through the mirror system is the
> 
> proper one, isn't it? Also I thought that the file hosted at "dist" was
> 
> automatically distributed to mirrors, wasn't it?
> 
> I don't think we should raise a ticket against Apache security, should we?
> 
> Cheers,
> 
> Antonio
> 
> \[1\]
> 
> 
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
> 
> \[2\]
> 
> 
> http://www-eu.apache.org/dist/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
> 
> On 08/03/18 20:21, John McDonnell wrote:
> 
> 
> > Apologies for the spam, cross posting to dev.
> > 
> > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta
> > 
> > is correct?  Looking at this thread, the signature doesn't match the
> > 
> > RC3.0 thread we voted on.  If we have a small typo we should try to
> > 
> > catch this early in the NetCat phase.
> > 
> > Regards
> > 
> > John
> > 
> > On 8 March 2018 at 07:47, John McDonnell  > 
> > mailto:mcdonnell.j...@gmail.com\> wrote:
> > 
> > Hi Leo,
> > 
> > I didn't import the keys, as I had previously done this step...
> > 
> > But
> > 
> > I'm looking at a different file then you:
> > 
> > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip(you)
> > 
> > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip(me)
> > 
> > @Geertjan, the vote thread you referenced earlier, we voted on the
> > link I used - and got a good signature, so I think that's okay.  But
> > the website points to a different URL (The one Leo checked).  I
> > suspect that the website is using the wrong URL, but before I jump
> > to that conclusion, just curious after the successful vote would you
> > have moved theartefact to the location on the website?
> > 
> > Regards
> > 
> > John
> > 
> > 
> > On 8 March 2018 at 01:50, Leo Donahue  > > wrote:
> > 
> > Hi John,
> > 
> > I noticed that you didn't issue:  gpg --import KEYS
> > 
> > I tried again, using wget to download the binary zip file, same
> > result.  I have also tried different mirrors.  I guess I will
> > just build from source, I was just being lazy.
> > 
> > (The --list-keys command illustrates I don't already have the
> > KEYS file imported)
> > 
> > leo@vmw01:~$ *gpg --list-keys*
> > leo@vmw01:~$ *wget
> > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
> > 
> > *
> > --2018-03-07 18:40:53--
> > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
> > 
> > Resolving dist.apache.org 
> > (dist.apache.org )... 209.188.14.144
> > Connecting to dist.apache.org 
> > (dist.apache.org
> > )|209.188.14.144|:443... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 7594 (7.4K) [text/plain]
> > Saving to: ‘KEYS’
> > 
> > KEYS 
> > 
> > 100%[===>]
> >  
> >   7.42K  --.-KB/s    in 0s
> > 
> >

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-08 Thread Antonio 

Hi all,

José Rodriguez from the users mailing list notes that the 
"incubating-netbeans-java-9.0-beta-bin.zip" files from [1] 
(dist.apache.org) and [2] (http://www-eu.apache.org) have different MD5 
signatures.


A quick review shows that the files are indeed different:

"dist" zip file ([1])::
- File timestamps 2018 jan 10
- No "licenses" directory
- LICENSE file is 57kb

"eu zip" file ([2]) also downloaded from the Apache mirror system::
- File timestamps 2018 feb 02
- "licenses" directory
- LICENSE file is 245,1 kb

I think the one being distributed through the mirror system is the 
proper one, isn't it? Also I thought that the file hosted at "dist" was 
automatically distributed to mirrors, wasn't it?


I don't think we should raise a ticket against Apache security, should we?

Cheers,
Antonio

[1]
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip

[2]
http://www-eu.apache.org/dist/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip


On 08/03/18 20:21, John McDonnell wrote:

Apologies for the spam, cross posting to dev.

@Antonio, do you know if the link on the website for NetBeans 9.0 Beta 
is correct?  Looking at this thread, the signature doesn't match the 
RC3.0 thread we voted on.  If we have a small typo we should try to 
catch this early in the NetCat phase.


Regards

John


On 8 March 2018 at 07:47, John McDonnell > wrote:


Hi Leo,

I didn't import the keys, as I had previously done this step...

But

I'm looking at a different file then you:

https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip(you)

https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip(me)

@Geertjan, the vote thread you referenced earlier, we voted on the
link I used - and got a good signature, so I think that's okay.  But
the website points to a different URL (The one Leo checked).  I
suspect that the website is using the wrong URL, but before I jump
to that conclusion, just curious after the successful vote would you
have moved theartefact to the location on the website?

Regards

John


On 8 March 2018 at 01:50, Leo Donahue > wrote:

Hi John,

I noticed that you didn't issue:  gpg --import KEYS

I tried again, using wget to download the binary zip file, same
result.  I have also tried different mirrors.  I guess I will
just build from source, I was just being lazy.

(The --list-keys command illustrates I don't already have the
KEYS file imported)

leo@vmw01:~$ *gpg --list-keys*
leo@vmw01:~$ *wget
https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
*
--2018-03-07 18:40:53--
https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS

Resolving dist.apache.org 
(dist.apache.org )... 209.188.14.144
Connecting to dist.apache.org 
(dist.apache.org
)|209.188.14.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7594 (7.4K) [text/plain]
Saving to: ‘KEYS’

KEYS 
100%[===>] 
  7.42K  --.-KB/s    in 0s


2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]

leo@vmw01:~$ *wget

https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc

*
--2018-03-07 18:41:11--

https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc


Resolving dist.apache.org 
(dist.apache.org )... 209.188.14.144
Connecting to dist.apache.org 
(dist.apache.org
)|209.188.14.144|:443... connected.
HTTP request

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-08 Thread John McDonnell 
The way I understand it, the artefact we voted on, that has a good
signature.  The one on the website that results in the bad signature.  So
either the website isn't pointing to the correct artefact, or something has
gone wrong somewhere.

John

On 8 March 2018 at 20:11, Geertjan Wielenga <
geertjan.wiele...@googlemail.com> wrote:

> Yes, I think we need to sort out what's going on here.
>
> Though if it turns out there's a problem with the signing of the Beta, I
> think that means we need to be all the more careful and really verify
> everything in that regard (maybe have a dedicated signature verification
> team) for the final release.
>
> Gj
>
> On Thu, Mar 8, 2018 at 8:21 PM, John McDonnell 
> wrote:
>
> > Apologies for the spam, cross posting to dev.
> >
> > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta is
> > correct?  Looking at this thread, the signature doesn't match the RC3.0
> > thread we voted on.  If we have a small typo we should try to catch this
> > early in the NetCat phase.
> >
> > Regards
> >
> > John
> >
> >
> > On 8 March 2018 at 07:47, John McDonnell 
> wrote:
> >
> >> Hi Leo,
> >>
> >> I didn't import the keys, as I had previously done this step...
> >>
> >> But
> >>
> >> I'm looking at a different file then you:
> >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
> >> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea
> >> ns-java-9.0-beta-bin.zip(you)
> >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
> >> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne
> >> tbeans-java-9.0-beta-bin.zip(me)
> >>
> >> @Geertjan, the vote thread you referenced earlier, we voted on the link
> I
> >> used - and got a good signature, so I think that's okay.  But the
> website
> >> points to a different URL (The one Leo checked).  I suspect that the
> >> website is using the wrong URL, but before I jump to that conclusion,
> just
> >> curious after the successful vote would you have moved the artefact to
> >> the location on the website?
> >>
> >> Regards
> >>
> >> John
> >>
> >>
> >> On 8 March 2018 at 01:50, Leo Donahue  wrote:
> >>
> >>> Hi John,
> >>>
> >>> I noticed that you didn't issue:  gpg --import KEYS
> >>>
> >>> I tried again, using wget to download the binary zip file, same result.
> >>> I have also tried different mirrors.  I guess I will just build from
> >>> source, I was just being lazy.
> >>>
> >>> (The --list-keys command illustrates I don't already have the KEYS file
> >>> imported)
> >>>
> >>> leo@vmw01:~$ *gpg --list-keys*
> >>> leo@vmw01:~$ *wget
> >>> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
> >>> *
> >>> --2018-03-07 18:40:53--  https://dist.apache.org/repos/
> >>> dist/release/incubator/netbeans/KEYS
> >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
> >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
> >>> connected.
> >>> HTTP request sent, awaiting response... 200 OK
> >>> Length: 7594 (7.4K) [text/plain]
> >>> Saving to: ‘KEYS’
> >>>
> >>> KEYS  100%[=
> >>> ==>]   7.42K  --.-KB/s
> >>> in 0s
> >>>
> >>> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
> >>>
> >>> leo@vmw01:~$ *wget
> >>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
> beta-bin.zip.asc
> >>>  netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc>*
> >>> --2018-03-07 18:41:11--  https://dist.apache.org/repos/
> >>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat
> >>> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
> >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
> >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
> >>> connected.
> >>> HTTP request sent, awaiting response... 200 OK
> >>> Length: 819 [text/plain]
> >>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
> >>>
> >>> incubating-netbeans-java-9.0-beta-bin 100%[=
> >>> ==>] 819  --.-KB/s
> >>> in 0s
> >>>
> >>> 2018-03-07 18:41:11 (16.4 MB/s) - ‘incubating-netbeans-java-9.0-
> beta-bin.zip.asc’
> >>> saved [819/819]
> >>>
> >>> leo@vmw01:~$ *wget
> >>> http://apache.cs.utah.edu/incubator/netbeans/incubating-
> netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip
> >>>  netbeans-java/incubating-9.0-beta/incubating-netbeans-java-
> 9.0-beta-bin.zip>*
> >>> --2018-03-07 18:41:41--  http://apache.cs.utah.edu/incu
> >>>

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-08 Thread Geertjan Wielenga 
Yes, I think we need to sort out what's going on here.

Though if it turns out there's a problem with the signing of the Beta, I
think that means we need to be all the more careful and really verify
everything in that regard (maybe have a dedicated signature verification
team) for the final release.

Gj

On Thu, Mar 8, 2018 at 8:21 PM, John McDonnell 
wrote:

> Apologies for the spam, cross posting to dev.
>
> @Antonio, do you know if the link on the website for NetBeans 9.0 Beta is
> correct?  Looking at this thread, the signature doesn't match the RC3.0
> thread we voted on.  If we have a small typo we should try to catch this
> early in the NetCat phase.
>
> Regards
>
> John
>
>
> On 8 March 2018 at 07:47, John McDonnell  wrote:
>
>> Hi Leo,
>>
>> I didn't import the keys, as I had previously done this step...
>>
>> But
>>
>> I'm looking at a different file then you:
>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea
>> ns-java-9.0-beta-bin.zip(you)
>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne
>> tbeans-java-9.0-beta-bin.zip(me)
>>
>> @Geertjan, the vote thread you referenced earlier, we voted on the link I
>> used - and got a good signature, so I think that's okay.  But the website
>> points to a different URL (The one Leo checked).  I suspect that the
>> website is using the wrong URL, but before I jump to that conclusion, just
>> curious after the successful vote would you have moved the artefact to
>> the location on the website?
>>
>> Regards
>>
>> John
>>
>>
>> On 8 March 2018 at 01:50, Leo Donahue  wrote:
>>
>>> Hi John,
>>>
>>> I noticed that you didn't issue:  gpg --import KEYS
>>>
>>> I tried again, using wget to download the binary zip file, same result.
>>> I have also tried different mirrors.  I guess I will just build from
>>> source, I was just being lazy.
>>>
>>> (The --list-keys command illustrates I don't already have the KEYS file
>>> imported)
>>>
>>> leo@vmw01:~$ *gpg --list-keys*
>>> leo@vmw01:~$ *wget
>>> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
>>> *
>>> --2018-03-07 18:40:53--  https://dist.apache.org/repos/
>>> dist/release/incubator/netbeans/KEYS
>>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
>>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
>>> connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 7594 (7.4K) [text/plain]
>>> Saving to: ‘KEYS’
>>>
>>> KEYS  100%[=
>>> ==>]   7.42K  --.-KB/s
>>> in 0s
>>>
>>> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
>>>
>>> leo@vmw01:~$ *wget
>>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
>>> *
>>> --2018-03-07 18:41:11--  https://dist.apache.org/repos/
>>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat
>>> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
>>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
>>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
>>> connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 819 [text/plain]
>>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
>>>
>>> incubating-netbeans-java-9.0-beta-bin 100%[=
>>> ==>] 819  --.-KB/s
>>> in 0s
>>>
>>> 2018-03-07 18:41:11 (16.4 MB/s) - 
>>> ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
>>> saved [819/819]
>>>
>>> leo@vmw01:~$ *wget
>>> http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
>>> *
>>> --2018-03-07 18:41:41--  http://apache.cs.utah.edu/incu
>>> bator/netbeans/incubating-netbeans-java/incubating-9.0-beta/
>>> incubating-netbeans-java-9.0-beta-bin.zip
>>> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87
>>> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80...
>>> connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 167193685 (159M) [application/zip]
>>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
>>>
>>> incubating-netbeans-java-9.0-beta-bin 100%[=
>>> ==>] 159.45M  8.14MB/s
>>> in 31s
>>>
>>> 2018-03-07

Re: incubating-netbeans-java-9.0-beta-bin.zip

2018-03-08 Thread John McDonnell 
Apologies for the spam, cross posting to dev.

@Antonio, do you know if the link on the website for NetBeans 9.0 Beta is
correct?  Looking at this thread, the signature doesn't match the RC3.0
thread we voted on.  If we have a small typo we should try to catch this
early in the NetCat phase.

Regards

John


On 8 March 2018 at 07:47, John McDonnell  wrote:

> Hi Leo,
>
> I didn't import the keys, as I had previously done this step...
>
> But
>
> I'm looking at a different file then you:
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
> cubating-netbeans-java/incubating-9.0-beta/incubating-
> netbeans-java-9.0-beta-bin.zip(you)
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-
> netbeans-java-9.0-beta-bin.zip(me)
>
> @Geertjan, the vote thread you referenced earlier, we voted on the link I
> used - and got a good signature, so I think that's okay.  But the website
> points to a different URL (The one Leo checked).  I suspect that the
> website is using the wrong URL, but before I jump to that conclusion, just
> curious after the successful vote would you have moved the artefact to
> the location on the website?
>
> Regards
>
> John
>
>
> On 8 March 2018 at 01:50, Leo Donahue  wrote:
>
>> Hi John,
>>
>> I noticed that you didn't issue:  gpg --import KEYS
>>
>> I tried again, using wget to download the binary zip file, same result.
>> I have also tried different mirrors.  I guess I will just build from
>> source, I was just being lazy.
>>
>> (The --list-keys command illustrates I don't already have the KEYS file
>> imported)
>>
>> leo@vmw01:~$ *gpg --list-keys*
>> leo@vmw01:~$ *wget
>> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
>> *
>> --2018-03-07 18:40:53--  https://dist.apache.org/repos/
>> dist/release/incubator/netbeans/KEYS
>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
>> connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 7594 (7.4K) [text/plain]
>> Saving to: ‘KEYS’
>>
>> KEYS  100%[=
>> ==>]   7.42K  --.-KB/sin
>> 0s
>>
>> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
>>
>> leo@vmw01:~$ *wget
>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
>> *
>> --2018-03-07 18:41:11--  https://dist.apache.org/repos/
>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat
>> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
>> connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 819 [text/plain]
>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
>>
>> incubating-netbeans-java-9.0-beta-bin 100%[=
>> ==>] 819  --.-KB/sin
>> 0s
>>
>> 2018-03-07 18:41:11 (16.4 MB/s) - 
>> ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
>> saved [819/819]
>>
>> leo@vmw01:~$ *wget
>> http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
>> *
>> --2018-03-07 18:41:41--  http://apache.cs.utah.edu/incu
>> bator/netbeans/incubating-netbeans-java/incubating-9.0-beta/
>> incubating-netbeans-java-9.0-beta-bin.zip
>> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87
>> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80...
>> connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 167193685 (159M) [application/zip]
>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
>>
>> incubating-netbeans-java-9.0-beta-bin 100%[=
>> ==>] 159.45M  8.14MB/sin
>> 31s
>>
>> 2018-03-07 18:42:12 (5.22 MB/s) - ‘incubating-netbeans-java-9.0-beta-bin.zip’
>> saved [167193685/167193685]
>>
>> leo@vmw01:~$ *gpg --import KEYS*
>> gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing Apache
>> NetBeans & co. releases.) " imported
>> gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org (Key for
>> signing Apache NetBeans & co. releases.) " imported
>> gpg: Total number processed: 2
>> gpg:   imported: 2
>>