+1 (non-binding) src package: - verified signature and hash - compiled source and ran unit tests - ran integration tests - ran RAT check - checked LICENSE, NOTICE, DISCLAIMER
bin package: - verified signature and hash - ran quickstart batch and kafka ingestion tutorial - checked LICENSE, NOTICE, DISCLAIMER On Mon, Sep 16, 2019 at 9:07 PM David Lim <david...@apache.org> wrote: > +1 (binding) > > src package: > - verified signature/hash > - compared source distribution contents against git tag (54d29e4) > - LICENSE, NOTICE, and DISCLAIMER are present > - unit tests passed > - licenses checked > - built binary distribution > - ran quickstart > > bin package: > - verified signature/hash > - verified META-INF/MANIFEST.MF:Build-Revision tag in JAR files matches > source distribution git.version:Build-Revision (54d29e4) > - LICENSE, NOTICE, and DISCLAIMER are present > - ran quickstart > > On Mon, Sep 16, 2019 at 1:29 PM Julian Hyde <jh...@apache.org> wrote: > > > Full checksum. An attacker can easily generate a binary that matches a > > given 32 bit bit (8 digit) hash. That’s why we use SHA-256 or SHA-512. > > > > If it helps, here is a typical Calcite vote email: > > > > > > > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3cCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3e > > < > > > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3CCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3E > > > > > > > > > > > > > > > On Sep 16, 2019, at 1:43 AM, Clint Wylie <cwy...@apache.org> wrote: > > > > > > Ah, oops, yes indeed they are reversed, my bad! I certainly agree with > > all > > > your points on why it is a good idea, and will update our template > after > > > the release to make sure we do it in the future. Is it better practice > to > > > include the full checksum, or would truncated to the first 8 or so > > > characters be preferable to play nice with email? > > > > > > On Sun, Sep 15, 2019 at 8:34 PM Julian Hyde <jh...@apache.org> wrote: > > > > > >> Sorry for my rather terse -1 vote. I had assumed that we had been > > >> following the policy for a while, so when I noticed that we were not I > > >> assumed it was a mistake by the release manager. > > >> > > >> Actually I am not sure whether it is policy, but there's definitely a > > >> strong case for including hashes. The point is this: we are voting on > > >> artifacts, principally apache-druid-0.16.0-incubating-src.tar.gz. > > >> > > >> Suppose we all vote on the current > > >> apache-druid-0.16.0-incubating-src.tar.gz, the vote passes, and then > > >> someone replaces it with a similar file that contains some bad stuff. > > >> How are we to know whether that is the file we voted on? > > >> > > >> Putting the file hash in the vote email guarantees that we are all > > >> voting on the same set of artifacts, and that set of artifacts is > > >> recorded. > > >> > > >> I think you reversed the hashes (I got 0c4b71f0 for bin, 1f25c55e for > > >> src), but that's close enough, so let's proceed. > > >> > > >> > > >> +1 (binding) > > >> > > >> Checked hashes, LICENSE, NOTICE, DISCLAIMER; ran RAT; compiled > > >> (skipping tests) using JDK 8 on Ubuntu. Checked that src.tar.gz > > >> matches git commit. > > >> > > >> Julian > > >> > > >> > > >> Julian > > >> > > >> On Sun, Sep 15, 2019 at 7:24 PM Clint Wylie <cwy...@apache.org> > wrote: > > >>> > > >>>> The vote email must contain the checksums of the artifacts we are > > >> voting > > >>> on. > > >>> > > >>> Apologies, I wasn't aware of this requirement since we haven't put > them > > >> in > > >>> our prior incubating release vote threads and I was just copying the > > same > > >>> basic template I and others have previously used. Out of curiosity is > > >> this > > >>> a new-ish requirement that I missed, or one we just didn't notice or > > have > > >>> just been turning a blind eye to? Regardless, since we are now > > >> maintaining > > >>> a 'how to ASF release' guide in the github repo that includes > templates > > >> for > > >>> voting threads, > > >>> > > >> > > > https://github.com/apache/incubator-druid/blob/master/distribution/asf-release-process-guide.md#body > > >> , > > >>> I'll > > >>> be sure to update it, thanks! > > >>> > > >>>> No need for a new RC; I change my vote if the release manager sends > an > > >>>> email with the checksums. > > >>> > > >>> If this thread is ok, here they are: > > >>> > > >>> artifact checksums > > >>> src: > > >>> > > >> > > > 0c4b71f077e28d2f4d3bc3f072543374570b98ec6a1918a5e1828e1da7e3871b5efb04070a8bcdbc172a817e43254640ce28a99757984be7d8dd3d607f1d870e > > >>> bin: > > >>> > > >> > > > 1f25c55e83069cf7071a97c1e0d56732437dbac4ef373ed1ed72b5b618021b74c107269642226e80081354c8da2e92dc26f1541b01072a4720fd6cfe8dc161a8 > > >>> docker: > > df9b900d3726ce123a5c054768da1ea08eba6efe635ced5abc3ad72d6c835e2c > > >>> > > >>> Thanks! > > >>> Clint > > >>> > > >>> On Sun, Sep 15, 2019 at 6:22 PM Julian Hyde <jh...@apache.org> > wrote: > > >>> > > >>>> -1 > > >>>> > > >>>> The vote email must contain the checksums of the artifacts we are > > >> voting > > >>>> on. > > >>>> > > >>>> No need for a new RC; I change my vote if the release manager sends > an > > >>>> email with the checksums. > > >>>> > > >>>> Julian > > >>>> > > >>>> On Fri, Sep 13, 2019 at 11:57 PM Clint Wylie <cwy...@apache.org> > > >> wrote: > > >>>>> > > >>>>> Hi all, > > >>>>> > > >>>>> I have created a build for Apache Druid (incubating) 0.16.0, > release > > >>>>> candidate 3. > > >>>>> > > >>>>> Thanks for everyone who has helped contribute to the release! You > can > > >>>> read > > >>>>> the proposed release notes here: > > >>>>> https://github.com/apache/incubator-druid/issues/8369 > > >>>>> > > >>>>> The release candidate has been tagged in GitHub as > > >>>>> druid-0.16.0-incubating-rc3 > > >> (54d29e438a4df34d75e2385af6cefd1092c4ebb3), > > >>>>> available here: > > >>>>> > > >>>> > > >> > > > https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating-rc3 > > >>>>> > > >>>>> The artifacts to be voted on are located here: > > >>>>> > > >>>> > > >> > > > https://dist.apache.org/repos/dist/dev/incubator/druid/0.16.0-incubating-rc3/ > > >>>>> > > >>>>> Staged druid.apache.org website documentation is available here: > > >>>>> > > >> > > https://druid.staged.apache.org/docs/0.16.0-incubating/design/index.html > > >>>>> > > >>>>> A Docker image containing the binary of the release candidate can > be > > >>>>> retrieved via: > > >>>>> docker pull apache/incubator-druid:0.16.0-incubating-rc3 > > >>>>> > > >>>>> Release artifacts are signed with the following key: > > >>>>> https://people.apache.org/keys/committer/cwylie.asc > > >>>>> > > >>>>> This key and the key of other committers can also be found in the > > >>>> project's > > >>>>> KEYS file here: > > >>>>> https://dist.apache.org/repos/dist/release/incubator/druid/KEYS > > >>>>> > > >>>>> (If you are a committer, please feel free to add your own key to > that > > >>>> file > > >>>>> by following the instructions in the file's header.) > > >>>>> > > >>>>> > > >>>>> Verify checksums: > > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-src.tar.gz | \ > > >>>>> cut -d ' ' -f1) \ > > >>>>> <(cat apache-druid-0.16.0-incubating-src.tar.gz.sha512 ; echo) > > >>>>> > > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-bin.tar.gz | \ > > >>>>> cut -d ' ' -f1) \ > > >>>>> <(cat apache-druid-0.16.0-incubating-bin.tar.gz.sha512 ; echo) > > >>>>> > > >>>>> Verify signatures: > > >>>>> gpg --verify apache-druid-0.16.0-incubating-src.tar.gz.asc \ > > >>>>> apache-druid-0.16.0-incubating-src.tar.gz > > >>>>> > > >>>>> gpg --verify apache-druid-0.16.0-incubating-bin.tar.gz.asc \ > > >>>>> apache-druid-0.16.0-incubating-bin.tar.gz > > >>>>> > > >>>>> Please review the proposed artifacts and vote. Note that Apache has > > >>>>> specific requirements that must be met before +1 binding votes can > be > > >>>> cast > > >>>>> by PMC members. Please refer to the policy at > > >>>>> http://www.apache.org/legal/release-policy.html#policy for more > > >> details. > > >>>>> > > >>>>> As part of the validation process, the release artifacts can be > > >> generated > > >>>>> from source by running: > > >>>>> mvn clean install -Papache-release,dist -Dgpg.skip > > >>>>> > > >>>>> The RAT license check can be run from source by: > > >>>>> mvn apache-rat:check -Prat > > >>>>> > > >>>>> This vote will be open for at least 72 hours. The vote will pass > if a > > >>>>> majority of at least three +1 PMC votes are cast. > > >>>>> > > >>>>> Once the vote has passed, the second stage vote will be called on > the > > >>>>> Apache Incubator mailing list to get approval from the Incubator > PMC. > > >>>>> > > >>>>> [ ] +1 Release this package as Apache Druid (incubating) 0.16.0 > > >>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release > > >>>>> [ ] -1 Do not release this package because... > > >>>>> > > >>>>> Thanks! > > >>>>> > > >>>>> Apache Druid (incubating) is an effort undergoing incubation at The > > >>>> Apache > > >>>>> Software Foundation (ASF), sponsored by the Apache Incubator. > > >> Incubation > > >>>> is > > >>>>> required of all newly accepted projects until a further review > > >> indicates > > >>>>> that the infrastructure, communications, and decision making > process > > >> have > > >>>>> stabilized in a manner consistent with other successful ASF > projects. > > >>>> While > > >>>>> incubation status is not necessarily a reflection of the > > >> completeness or > > >>>>> stability of the code, it does indicate that the project has yet to > > >> be > > >>>>> fully endorsed by the ASF. > > >>>> > > >>>> > --------------------------------------------------------------------- > > >>>> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > >>>> For additional commands, e-mail: dev-h...@druid.apache.org > > >>>> > > >>>> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > > >> For additional commands, e-mail: dev-h...@druid.apache.org > > >> > > >> > > > > >
