I think I see what happened. I had been doing `curl
https://www.apache.org/dist/calcite/KEYS | gpg --import`
If you do a `curl -v`, ASF set up an HTTP/302 redirect over to
https://downloads.apache.org/calcite/KEYS. I think I was passing the
HTTP redirect into `gpg --import` (which, of course, imported nothing).
If I do `curl -L https://www.apache.org/dist/calcite/KEYS | gpg
--import`, I then get Francis' key as expected.
Real vote coming shortly :)
On 4/20/21 6:32 PM, Francis Chuang wrote:
Hey Josh,
I believe the short key id uses the last 8 characters of the key id.
This is the output when listing my secret keys:
❯ gpg --list-secret-keys
/home/francis/.gnupg/pubring.kbx
--------------------------------
sec rsa4096 2018-04-16 [SC]
635665E0BE3F72552910CB74BBE44E923A970AB7
uid [ultimate] Francis Chuang <francischu...@a....org>
ssb rsa4096 2018-04-16 [E]
This is the entry in KEYS:
-----END PGP PUBLIC KEY BLOCK-----
pub rsa4096/3A970AB7 2018-04-16 [SC]
uid [ultimate] Francis Chuang <francischu...@a....org>
sig 3 3A970AB7 2018-04-16 Francis Chuang <francischu...@apache.org>
sig 2AD3FAE3 2018-07-25 Julian Hyde (CODE SIGNING KEY)
<jh...@a....org>
sig 2F471B9E 2018-07-25 Jungtaek Lim (HeartSaVioR)
<kabh...@g....com>
sub rsa4096/34BCCFB3 2018-04-16 [E]
sig 3A970AB7 2018-04-16 Francis Chuang <francischu...@a....org>
-----BEGIN PGP PUBLIC KEY BLOCK-----
The last 8 characters of they key id in both short and long formats match:
635665E0BE3F72552910CB74BBE44E923A970AB7
3A970AB7
Francis
On 21/04/2021 4:14 am, Josh Elser wrote:
Uh, I'm confused too and seeing the same thing that Julian saw.
The key 635665E0 does not exist in the
https://www.apache.org/dist/calcite/KEYS. What is in the KEYS file is
3A970AB7.
I don't see this key in pgp.mit.edu when I search, either. I can't
seem to find a server which responds to do a `gpg --search-key` either.
Vladimir -- were you able to validate the signature? If so, do you
have this key in `gpg --fingerprint`?
On 4/8/21 1:59 PM, Julian Hyde wrote:
Makes sense. I am forever confused by signing & keys. If other people
have no concerns, then I’m fine.
On Apr 8, 2021, at 1:43 AM, Francis Chuang
<francischu...@apache.org> wrote:
Regarding the key, I wonder if it's because my key was only signed
by 2 other individuals. See here [1] and here [2].
[1]
https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature
[2]
https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209
On 8/04/2021 5:08 pm, Julian Hyde wrote:
1. Regarding the key. Even after doing
$ gpg --import ~/apache/dist/release/calcite/KEYS
I got the following error:
$ gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in
'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Wed 07 Apr 2021 04:23:27 PM PDT
gpg: using RSA key
635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang
<francischu...@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to
the owner.
Primary key fingerprint: 6356 65E0 BE3F 7255 2910 CB74 BBE4 4E92
3A97 0AB7
2. Regarding gradle-wrapper.jar. Yes, it affects Calcite too.
3. Regarding LICENSE. Yes, we had a discussion before, and I don’t
recall where it ended up. My opinion is that neither the release
plugin (nor the release manager) should be modifying source files.
Julian
On Apr 7, 2021, at 11:57 PM, Francis Chuang
<francischu...@apache.org> wrote:
Hey Julian,
The key I used to sign the release is the same as the one in KEYS:
gpg --verify apache-calcite-avatica-1.18.0-src.tar.gz.asc
gpg: assuming signed data in
'apache-calcite-avatica-1.18.0-src.tar.gz'
gpg: Signature made Thu Apr 8 09:23:27 2021 AEST
gpg: using RSA key
635665E0BE3F72552910CB74BBE44E923A970AB7
gpg: Good signature from "Francis Chuang <francischuang@a.o>"
[ultimate]
For the 2 issues:
- The gradle-wrapper.jar issue probably affects calcite as well,
so we need to get this fixed in both repos.
- I believe the license is generated by the release plugin. I
think there was some discussion on the mailing list in the past,
but I can't find the threads for some reason.
Francis
On 8/04/2021 4:01 pm, Julian Hyde wrote:
Francis,
Thank you for getting this release done. We lost momentum and I
appreciate you pushing through.
Is this a different key than your existing key in KEYS? If so can
you add it to
https://dist.apache.org/repos/dist/release/calcite/KEYS?
<https://dist.apache.org/repos/dist/release/calcite/KEYS?>
Downloaded, checked signatures, checked NOTICE, LICENSE,
copyright dates, built on Linux/JDK 11 and ran tests, ran RAT.
Two problems:
* tar.gz contains a binary file
(gradle/wrapper/gradle-wrapper.jar). I recently became aware that
this is a breach of Apache release policy; see
https://issues.apache.org/jira/browse/LEGAL-288
<https://issues.apache.org/jira/browse/LEGAL-288>.
* LICENSE in the tar.gz differs from LICENSE in git
-1 (binding) due the above two problems.
Julian
On Apr 7, 2021, at 4:33 PM, Francis Chuang
<francischu...@apache.org> wrote:
Hi all,
I have created a build for Apache Calcite Avatica 1.18.0, release
candidate 0.
Thanks to everyone who has contributed to this release.
You can read the release notes here:
https://github.com/apache/calcite-avatica/blob/9486557be86bcade35d814d8a81be638395f57c6/site/_docs/history.md
The commit to be voted upon:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=9486557be86bcade35d814d8a81be638395f57c6
Its hash is 9486557be86bcade35d814d8a81be638395f57c6
Tag:
https://gitbox.apache.org/repos/asf?p=calcite-avatica.git;a=tag;h=refs/tags/avatica-1.18.0-rc0
The artifacts to be voted on are located here:
https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-1.18.0-rc0
(revision 46928)
The hashes of the artifacts are as follows:
a66e85749bc6cd730cbb8f89a32f2714bc09285fa547bd220f19a0aa63b2ea31bd0311e071d6abf8ef12416b661ee705c452b98ee2216871e005d1abd551c772
*apache-calcite-avatica-1.18.0-src.tar.gz
A staged Maven repository is available for review at:
https://repository.apache.org/content/repositories/orgapachecalcite-1102/org/apache/calcite/
Release artifacts are signed with the following key:
https://people.apache.org/keys/committer/francischuang.asc
https://www.apache.org/dist/calcite/KEYS
N.B.
To create the jars and test Apache Calcite Avatica: "./gradlew
build -Prelease -PskipSign".
If you do not have a Java environment available, you can run the
tests
using docker. To do so, install docker and docker-compose, then run
"docker-compose run test" from the root of the directory.
Please vote on releasing this package as Apache Calcite Avatica
1.18.0.
The vote is open for the next 72 hours and passes if a majority
of at
least three +1 PMC votes are cast.
[ ] +1 Release this package as Apache Calcite 1.18.0
[ ] 0 I don't feel strongly about it, but I'm okay with the
release
[ ] -1 Do not release this package because...
Here is my vote:
+1 (binding)
Francis
