On Fri, 24 Feb 2012, Bruno Mahé wrote:
Date: Fri, 24 Feb 2012 22:43:15 +0100
From: Bruno Mahé <[email protected]>
To: [email protected]
Cc: Steve Loughran <[email protected]>, Henk P. Penning <[email protected]>
Subject: Re: Fwd: Re: An ASF yum repository?
Some questions for our dear mentors:
* Given that we are targeting a release by end of march, is it ok to let
the current convenience artefacts as is but make sure everything will be
signed from now on?
* The previous convenience packages were not signed but the ones for the
coming release will be. That means packages/repositories metadata will
contain a signed checksum of the artefacts. Therefore signing files such
as
incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
wouldn't achieve anything but make the checker script happy since no
user or package management would knows about such signature required by
the checker script. Signing any file to make the checker script happy is
absolutely fine if it is used by Apache infra to ensure files integrity,
but it has be noted no one but package management systems will look at
these tarballs. The only thing looking at these signature will be the
checker script. So as part of the release process, is signing these
tarball for the checker script a requirement?
Yes.
1. Of course "keeping the checker script happy" isn't the real
reason, but if that's your motivation : fine.
The real reason is the rule :
Every artifact distributed by the Apache Software Foundation
should and every new one must be accompanied by one file
containing an OpenPGP compatible ASCII armored detached
signature and another file containing an MD5 checksum.
which is motivated here : Why We Sign Releases :
http://www.apache.org/dev/release-signing.html#motivation
The checker just tries to verify that the rules are kept.
2. The items with "missing sigs" mentioned in the checker page
belong to some package repo you publish. It is clear that,
according to the rules, these packages must be signed, or
removed.
Regards,
HPP
On 02/24/2012 09:59 AM, Steve Loughran wrote:
Henk says that all the stuff in the repos should be signed, somehow...
-------- Original Message --------
Subject: Re: An ASF yum repository?
Date: Fri, 24 Feb 2012 16:08:28 +0100
From: Henk P. Penning <[email protected]>
To: Steve Loughran <[email protected]>
CC: Graham Leggett <[email protected]>, Tony Stevenson
<[email protected]>, Apache Infrastructure
<[email protected]>
On Fri, 24 Feb 2012, Steve Loughran wrote:
Date: Fri, 24 Feb 2012 15:47:48 +0100
From: Steve Loughran <[email protected]>
To: Graham Leggett <[email protected]>
Cc: Tony Stevenson <[email protected]>,
Apache Infrastructure <[email protected]>
Subject: Re: An ASF yum repository?
[ ... ]
Apache Bigtop sticks its artefacts out in the right layout -and
mirrors these
out to all the mirrors. Provided the directory trees get copied, it's
just
the signing problem left.
http://www.apache.org/dist//incubator/bigtop/stable/repos/
Hi,
bigtop is distributing unsigned stuff ; see
http://people.apache.org/~henkp/checker/sig.html#user-rvs
for instance
incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
Can you fix that ?
Regards,
Henk Penning
--------------------------------------------------------- _
Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/ M [email protected] \_/
--------------------------------------------------------- _
Henk P. Penning, ICT-beta R Uithof WISK-412 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://people.cs.uu.nl/henkp/ M [email protected] \_/
