+1 (binding) src package: - verified signature/hash - compared source distribution contents against git tag (54d29e4) - LICENSE, NOTICE, and DISCLAIMER are present - unit tests passed - licenses checked - built binary distribution - ran quickstart
bin package: - verified signature/hash - verified META-INF/MANIFEST.MF:Build-Revision tag in JAR files matches source distribution git.version:Build-Revision (54d29e4) - LICENSE, NOTICE, and DISCLAIMER are present - ran quickstart On Mon, Sep 16, 2019 at 1:29 PM Julian Hyde <jh...@apache.org> wrote: > Full checksum. An attacker can easily generate a binary that matches a > given 32 bit bit (8 digit) hash. That’s why we use SHA-256 or SHA-512. > > If it helps, here is a typical Calcite vote email: > > > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3cCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3e > < > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3CCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3E> > > > > > > > On Sep 16, 2019, at 1:43 AM, Clint Wylie <cwy...@apache.org> wrote: > > > > Ah, oops, yes indeed they are reversed, my bad! I certainly agree with > all > > your points on why it is a good idea, and will update our template after > > the release to make sure we do it in the future. Is it better practice to > > include the full checksum, or would truncated to the first 8 or so > > characters be preferable to play nice with email? > > > > On Sun, Sep 15, 2019 at 8:34 PM Julian Hyde <jh...@apache.org> wrote: > > > >> Sorry for my rather terse -1 vote. I had assumed that we had been > >> following the policy for a while, so when I noticed that we were not I > >> assumed it was a mistake by the release manager. > >> > >> Actually I am not sure whether it is policy, but there's definitely a > >> strong case for including hashes. The point is this: we are voting on > >> artifacts, principally apache-druid-0.16.0-incubating-src.tar.gz. > >> > >> Suppose we all vote on the current > >> apache-druid-0.16.0-incubating-src.tar.gz, the vote passes, and then > >> someone replaces it with a similar file that contains some bad stuff. > >> How are we to know whether that is the file we voted on? > >> > >> Putting the file hash in the vote email guarantees that we are all > >> voting on the same set of artifacts, and that set of artifacts is > >> recorded. > >> > >> I think you reversed the hashes (I got 0c4b71f0 for bin, 1f25c55e for > >> src), but that's close enough, so let's proceed. > >> > >> > >> +1 (binding) > >> > >> Checked hashes, LICENSE, NOTICE, DISCLAIMER; ran RAT; compiled > >> (skipping tests) using JDK 8 on Ubuntu. Checked that src.tar.gz > >> matches git commit. > >> > >> Julian > >> > >> > >> Julian > >> > >> On Sun, Sep 15, 2019 at 7:24 PM Clint Wylie <cwy...@apache.org> wrote: > >>> > >>>> The vote email must contain the checksums of the artifacts we are > >> voting > >>> on. > >>> > >>> Apologies, I wasn't aware of this requirement since we haven't put them > >> in > >>> our prior incubating release vote threads and I was just copying the > same > >>> basic template I and others have previously used. Out of curiosity is > >> this > >>> a new-ish requirement that I missed, or one we just didn't notice or > have > >>> just been turning a blind eye to? Regardless, since we are now > >> maintaining > >>> a 'how to ASF release' guide in the github repo that includes templates > >> for > >>> voting threads, > >>> > >> > https://github.com/apache/incubator-druid/blob/master/distribution/asf-release-process-guide.md#body > >> , > >>> I'll > >>> be sure to update it, thanks! > >>> > >>>> No need for a new RC; I change my vote if the release manager sends an > >>>> email with the checksums. > >>> > >>> If this thread is ok, here they are: > >>> > >>> artifact checksums > >>> src: > >>> > >> > 0c4b71f077e28d2f4d3bc3f072543374570b98ec6a1918a5e1828e1da7e3871b5efb04070a8bcdbc172a817e43254640ce28a99757984be7d8dd3d607f1d870e > >>> bin: > >>> > >> > 1f25c55e83069cf7071a97c1e0d56732437dbac4ef373ed1ed72b5b618021b74c107269642226e80081354c8da2e92dc26f1541b01072a4720fd6cfe8dc161a8 > >>> docker: > df9b900d3726ce123a5c054768da1ea08eba6efe635ced5abc3ad72d6c835e2c > >>> > >>> Thanks! > >>> Clint > >>> > >>> On Sun, Sep 15, 2019 at 6:22 PM Julian Hyde <jh...@apache.org> wrote: > >>> > >>>> -1 > >>>> > >>>> The vote email must contain the checksums of the artifacts we are > >> voting > >>>> on. > >>>> > >>>> No need for a new RC; I change my vote if the release manager sends an > >>>> email with the checksums. > >>>> > >>>> Julian > >>>> > >>>> On Fri, Sep 13, 2019 at 11:57 PM Clint Wylie <cwy...@apache.org> > >> wrote: > >>>>> > >>>>> Hi all, > >>>>> > >>>>> I have created a build for Apache Druid (incubating) 0.16.0, release > >>>>> candidate 3. > >>>>> > >>>>> Thanks for everyone who has helped contribute to the release! You can > >>>> read > >>>>> the proposed release notes here: > >>>>> https://github.com/apache/incubator-druid/issues/8369 > >>>>> > >>>>> The release candidate has been tagged in GitHub as > >>>>> druid-0.16.0-incubating-rc3 > >> (54d29e438a4df34d75e2385af6cefd1092c4ebb3), > >>>>> available here: > >>>>> > >>>> > >> > https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating-rc3 > >>>>> > >>>>> The artifacts to be voted on are located here: > >>>>> > >>>> > >> > https://dist.apache.org/repos/dist/dev/incubator/druid/0.16.0-incubating-rc3/ > >>>>> > >>>>> Staged druid.apache.org website documentation is available here: > >>>>> > >> > https://druid.staged.apache.org/docs/0.16.0-incubating/design/index.html > >>>>> > >>>>> A Docker image containing the binary of the release candidate can be > >>>>> retrieved via: > >>>>> docker pull apache/incubator-druid:0.16.0-incubating-rc3 > >>>>> > >>>>> Release artifacts are signed with the following key: > >>>>> https://people.apache.org/keys/committer/cwylie.asc > >>>>> > >>>>> This key and the key of other committers can also be found in the > >>>> project's > >>>>> KEYS file here: > >>>>> https://dist.apache.org/repos/dist/release/incubator/druid/KEYS > >>>>> > >>>>> (If you are a committer, please feel free to add your own key to that > >>>> file > >>>>> by following the instructions in the file's header.) > >>>>> > >>>>> > >>>>> Verify checksums: > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-src.tar.gz | \ > >>>>> cut -d ' ' -f1) \ > >>>>> <(cat apache-druid-0.16.0-incubating-src.tar.gz.sha512 ; echo) > >>>>> > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-bin.tar.gz | \ > >>>>> cut -d ' ' -f1) \ > >>>>> <(cat apache-druid-0.16.0-incubating-bin.tar.gz.sha512 ; echo) > >>>>> > >>>>> Verify signatures: > >>>>> gpg --verify apache-druid-0.16.0-incubating-src.tar.gz.asc \ > >>>>> apache-druid-0.16.0-incubating-src.tar.gz > >>>>> > >>>>> gpg --verify apache-druid-0.16.0-incubating-bin.tar.gz.asc \ > >>>>> apache-druid-0.16.0-incubating-bin.tar.gz > >>>>> > >>>>> Please review the proposed artifacts and vote. Note that Apache has > >>>>> specific requirements that must be met before +1 binding votes can be > >>>> cast > >>>>> by PMC members. Please refer to the policy at > >>>>> http://www.apache.org/legal/release-policy.html#policy for more > >> details. > >>>>> > >>>>> As part of the validation process, the release artifacts can be > >> generated > >>>>> from source by running: > >>>>> mvn clean install -Papache-release,dist -Dgpg.skip > >>>>> > >>>>> The RAT license check can be run from source by: > >>>>> mvn apache-rat:check -Prat > >>>>> > >>>>> This vote will be open for at least 72 hours. The vote will pass if a > >>>>> majority of at least three +1 PMC votes are cast. > >>>>> > >>>>> Once the vote has passed, the second stage vote will be called on the > >>>>> Apache Incubator mailing list to get approval from the Incubator PMC. > >>>>> > >>>>> [ ] +1 Release this package as Apache Druid (incubating) 0.16.0 > >>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release > >>>>> [ ] -1 Do not release this package because... > >>>>> > >>>>> Thanks! > >>>>> > >>>>> Apache Druid (incubating) is an effort undergoing incubation at The > >>>> Apache > >>>>> Software Foundation (ASF), sponsored by the Apache Incubator. > >> Incubation > >>>> is > >>>>> required of all newly accepted projects until a further review > >> indicates > >>>>> that the infrastructure, communications, and decision making process > >> have > >>>>> stabilized in a manner consistent with other successful ASF projects. > >>>> While > >>>>> incubation status is not necessarily a reflection of the > >> completeness or > >>>>> stability of the code, it does indicate that the project has yet to > >> be > >>>>> fully endorsed by the ASF. > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > >>>> For additional commands, e-mail: dev-h...@druid.apache.org > >>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > >> For additional commands, e-mail: dev-h...@druid.apache.org > >> > >> > >
