Sorry for my rather terse -1 vote. I had assumed that we had been following the policy for a while, so when I noticed that we were not I assumed it was a mistake by the release manager.
Actually I am not sure whether it is policy, but there's definitely a strong case for including hashes. The point is this: we are voting on artifacts, principally apache-druid-0.16.0-incubating-src.tar.gz. Suppose we all vote on the current apache-druid-0.16.0-incubating-src.tar.gz, the vote passes, and then someone replaces it with a similar file that contains some bad stuff. How are we to know whether that is the file we voted on? Putting the file hash in the vote email guarantees that we are all voting on the same set of artifacts, and that set of artifacts is recorded. I think you reversed the hashes (I got 0c4b71f0 for bin, 1f25c55e for src), but that's close enough, so let's proceed. +1 (binding) Checked hashes, LICENSE, NOTICE, DISCLAIMER; ran RAT; compiled (skipping tests) using JDK 8 on Ubuntu. Checked that src.tar.gz matches git commit. Julian Julian On Sun, Sep 15, 2019 at 7:24 PM Clint Wylie <cwy...@apache.org> wrote: > > > The vote email must contain the checksums of the artifacts we are voting > on. > > Apologies, I wasn't aware of this requirement since we haven't put them in > our prior incubating release vote threads and I was just copying the same > basic template I and others have previously used. Out of curiosity is this > a new-ish requirement that I missed, or one we just didn't notice or have > just been turning a blind eye to? Regardless, since we are now maintaining > a 'how to ASF release' guide in the github repo that includes templates for > voting threads, > https://github.com/apache/incubator-druid/blob/master/distribution/asf-release-process-guide.md#body, > I'll > be sure to update it, thanks! > > > No need for a new RC; I change my vote if the release manager sends an > > email with the checksums. > > If this thread is ok, here they are: > > artifact checksums > src: > 0c4b71f077e28d2f4d3bc3f072543374570b98ec6a1918a5e1828e1da7e3871b5efb04070a8bcdbc172a817e43254640ce28a99757984be7d8dd3d607f1d870e > bin: > 1f25c55e83069cf7071a97c1e0d56732437dbac4ef373ed1ed72b5b618021b74c107269642226e80081354c8da2e92dc26f1541b01072a4720fd6cfe8dc161a8 > docker: df9b900d3726ce123a5c054768da1ea08eba6efe635ced5abc3ad72d6c835e2c > > Thanks! > Clint > > On Sun, Sep 15, 2019 at 6:22 PM Julian Hyde <jh...@apache.org> wrote: > > > -1 > > > > The vote email must contain the checksums of the artifacts we are voting > > on. > > > > No need for a new RC; I change my vote if the release manager sends an > > email with the checksums. > > > > Julian > > > > On Fri, Sep 13, 2019 at 11:57 PM Clint Wylie <cwy...@apache.org> wrote: > > > > > > Hi all, > > > > > > I have created a build for Apache Druid (incubating) 0.16.0, release > > > candidate 3. > > > > > > Thanks for everyone who has helped contribute to the release! You can > > read > > > the proposed release notes here: > > > https://github.com/apache/incubator-druid/issues/8369 > > > > > > The release candidate has been tagged in GitHub as > > > druid-0.16.0-incubating-rc3 (54d29e438a4df34d75e2385af6cefd1092c4ebb3), > > > available here: > > > > > https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating-rc3 > > > > > > The artifacts to be voted on are located here: > > > > > https://dist.apache.org/repos/dist/dev/incubator/druid/0.16.0-incubating-rc3/ > > > > > > Staged druid.apache.org website documentation is available here: > > > https://druid.staged.apache.org/docs/0.16.0-incubating/design/index.html > > > > > > A Docker image containing the binary of the release candidate can be > > > retrieved via: > > > docker pull apache/incubator-druid:0.16.0-incubating-rc3 > > > > > > Release artifacts are signed with the following key: > > > https://people.apache.org/keys/committer/cwylie.asc > > > > > > This key and the key of other committers can also be found in the > > project's > > > KEYS file here: > > > https://dist.apache.org/repos/dist/release/incubator/druid/KEYS > > > > > > (If you are a committer, please feel free to add your own key to that > > file > > > by following the instructions in the file's header.) > > > > > > > > > Verify checksums: > > > diff <(shasum -a512 apache-druid-0.16.0-incubating-src.tar.gz | \ > > > cut -d ' ' -f1) \ > > > <(cat apache-druid-0.16.0-incubating-src.tar.gz.sha512 ; echo) > > > > > > diff <(shasum -a512 apache-druid-0.16.0-incubating-bin.tar.gz | \ > > > cut -d ' ' -f1) \ > > > <(cat apache-druid-0.16.0-incubating-bin.tar.gz.sha512 ; echo) > > > > > > Verify signatures: > > > gpg --verify apache-druid-0.16.0-incubating-src.tar.gz.asc \ > > > apache-druid-0.16.0-incubating-src.tar.gz > > > > > > gpg --verify apache-druid-0.16.0-incubating-bin.tar.gz.asc \ > > > apache-druid-0.16.0-incubating-bin.tar.gz > > > > > > Please review the proposed artifacts and vote. Note that Apache has > > > specific requirements that must be met before +1 binding votes can be > > cast > > > by PMC members. Please refer to the policy at > > > http://www.apache.org/legal/release-policy.html#policy for more details. > > > > > > As part of the validation process, the release artifacts can be generated > > > from source by running: > > > mvn clean install -Papache-release,dist -Dgpg.skip > > > > > > The RAT license check can be run from source by: > > > mvn apache-rat:check -Prat > > > > > > This vote will be open for at least 72 hours. The vote will pass if a > > > majority of at least three +1 PMC votes are cast. > > > > > > Once the vote has passed, the second stage vote will be called on the > > > Apache Incubator mailing list to get approval from the Incubator PMC. > > > > > > [ ] +1 Release this package as Apache Druid (incubating) 0.16.0 > > > [ ] 0 I don't feel strongly about it, but I'm okay with the release > > > [ ] -1 Do not release this package because... > > > > > > Thanks! > > > > > > Apache Druid (incubating) is an effort undergoing incubation at The > > Apache > > > Software Foundation (ASF), sponsored by the Apache Incubator. Incubation > > is > > > required of all newly accepted projects until a further review indicates > > > that the infrastructure, communications, and decision making process have > > > stabilized in a manner consistent with other successful ASF projects. > > While > > > incubation status is not necessarily a reflection of the completeness or > > > stability of the code, it does indicate that the project has yet to be > > > fully endorsed by the ASF. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > For additional commands, e-mail: dev-h...@druid.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
