Thanks for the votes everyone! We've got enough binding +1 so I'm going to close this vote soon and prepare for the IPMC vote thread.
On Mon, Sep 16, 2019 at 9:38 PM Surekha Saharan <[email protected]> wrote: > +1 (non-binding) > > src package: > - verified signature and hash > - compiled source and ran unit tests > - ran integration tests > - ran RAT check > - checked LICENSE, NOTICE, DISCLAIMER > > > bin package: > - verified signature and hash > - ran quickstart batch and kafka ingestion tutorial > - checked LICENSE, NOTICE, DISCLAIMER > > > On Mon, Sep 16, 2019 at 9:07 PM David Lim <[email protected]> wrote: > > > +1 (binding) > > > > src package: > > - verified signature/hash > > - compared source distribution contents against git tag (54d29e4) > > - LICENSE, NOTICE, and DISCLAIMER are present > > - unit tests passed > > - licenses checked > > - built binary distribution > > - ran quickstart > > > > bin package: > > - verified signature/hash > > - verified META-INF/MANIFEST.MF:Build-Revision tag in JAR files matches > > source distribution git.version:Build-Revision (54d29e4) > > - LICENSE, NOTICE, and DISCLAIMER are present > > - ran quickstart > > > > On Mon, Sep 16, 2019 at 1:29 PM Julian Hyde <[email protected]> wrote: > > > > > Full checksum. An attacker can easily generate a binary that matches a > > > given 32 bit bit (8 digit) hash. That’s why we use SHA-256 or SHA-512. > > > > > > If it helps, here is a typical Calcite vote email: > > > > > > > > > > > > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3cCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3e > > > < > > > > > > http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3CCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3E > > > > > > > > > > > > > > > > > > > > > > On Sep 16, 2019, at 1:43 AM, Clint Wylie <[email protected]> wrote: > > > > > > > > Ah, oops, yes indeed they are reversed, my bad! I certainly agree > with > > > all > > > > your points on why it is a good idea, and will update our template > > after > > > > the release to make sure we do it in the future. Is it better > practice > > to > > > > include the full checksum, or would truncated to the first 8 or so > > > > characters be preferable to play nice with email? > > > > > > > > On Sun, Sep 15, 2019 at 8:34 PM Julian Hyde <[email protected]> > wrote: > > > > > > > >> Sorry for my rather terse -1 vote. I had assumed that we had been > > > >> following the policy for a while, so when I noticed that we were > not I > > > >> assumed it was a mistake by the release manager. > > > >> > > > >> Actually I am not sure whether it is policy, but there's definitely > a > > > >> strong case for including hashes. The point is this: we are voting > on > > > >> artifacts, principally apache-druid-0.16.0-incubating-src.tar.gz. > > > >> > > > >> Suppose we all vote on the current > > > >> apache-druid-0.16.0-incubating-src.tar.gz, the vote passes, and then > > > >> someone replaces it with a similar file that contains some bad > stuff. > > > >> How are we to know whether that is the file we voted on? > > > >> > > > >> Putting the file hash in the vote email guarantees that we are all > > > >> voting on the same set of artifacts, and that set of artifacts is > > > >> recorded. > > > >> > > > >> I think you reversed the hashes (I got 0c4b71f0 for bin, 1f25c55e > for > > > >> src), but that's close enough, so let's proceed. > > > >> > > > >> > > > >> +1 (binding) > > > >> > > > >> Checked hashes, LICENSE, NOTICE, DISCLAIMER; ran RAT; compiled > > > >> (skipping tests) using JDK 8 on Ubuntu. Checked that src.tar.gz > > > >> matches git commit. > > > >> > > > >> Julian > > > >> > > > >> > > > >> Julian > > > >> > > > >> On Sun, Sep 15, 2019 at 7:24 PM Clint Wylie <[email protected]> > > wrote: > > > >>> > > > >>>> The vote email must contain the checksums of the artifacts we are > > > >> voting > > > >>> on. > > > >>> > > > >>> Apologies, I wasn't aware of this requirement since we haven't put > > them > > > >> in > > > >>> our prior incubating release vote threads and I was just copying > the > > > same > > > >>> basic template I and others have previously used. Out of curiosity > is > > > >> this > > > >>> a new-ish requirement that I missed, or one we just didn't notice > or > > > have > > > >>> just been turning a blind eye to? Regardless, since we are now > > > >> maintaining > > > >>> a 'how to ASF release' guide in the github repo that includes > > templates > > > >> for > > > >>> voting threads, > > > >>> > > > >> > > > > > > https://github.com/apache/incubator-druid/blob/master/distribution/asf-release-process-guide.md#body > > > >> , > > > >>> I'll > > > >>> be sure to update it, thanks! > > > >>> > > > >>>> No need for a new RC; I change my vote if the release manager > sends > > an > > > >>>> email with the checksums. > > > >>> > > > >>> If this thread is ok, here they are: > > > >>> > > > >>> artifact checksums > > > >>> src: > > > >>> > > > >> > > > > > > 0c4b71f077e28d2f4d3bc3f072543374570b98ec6a1918a5e1828e1da7e3871b5efb04070a8bcdbc172a817e43254640ce28a99757984be7d8dd3d607f1d870e > > > >>> bin: > > > >>> > > > >> > > > > > > 1f25c55e83069cf7071a97c1e0d56732437dbac4ef373ed1ed72b5b618021b74c107269642226e80081354c8da2e92dc26f1541b01072a4720fd6cfe8dc161a8 > > > >>> docker: > > > df9b900d3726ce123a5c054768da1ea08eba6efe635ced5abc3ad72d6c835e2c > > > >>> > > > >>> Thanks! > > > >>> Clint > > > >>> > > > >>> On Sun, Sep 15, 2019 at 6:22 PM Julian Hyde <[email protected]> > > wrote: > > > >>> > > > >>>> -1 > > > >>>> > > > >>>> The vote email must contain the checksums of the artifacts we are > > > >> voting > > > >>>> on. > > > >>>> > > > >>>> No need for a new RC; I change my vote if the release manager > sends > > an > > > >>>> email with the checksums. > > > >>>> > > > >>>> Julian > > > >>>> > > > >>>> On Fri, Sep 13, 2019 at 11:57 PM Clint Wylie <[email protected]> > > > >> wrote: > > > >>>>> > > > >>>>> Hi all, > > > >>>>> > > > >>>>> I have created a build for Apache Druid (incubating) 0.16.0, > > release > > > >>>>> candidate 3. > > > >>>>> > > > >>>>> Thanks for everyone who has helped contribute to the release! You > > can > > > >>>> read > > > >>>>> the proposed release notes here: > > > >>>>> https://github.com/apache/incubator-druid/issues/8369 > > > >>>>> > > > >>>>> The release candidate has been tagged in GitHub as > > > >>>>> druid-0.16.0-incubating-rc3 > > > >> (54d29e438a4df34d75e2385af6cefd1092c4ebb3), > > > >>>>> available here: > > > >>>>> > > > >>>> > > > >> > > > > > > https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating-rc3 > > > >>>>> > > > >>>>> The artifacts to be voted on are located here: > > > >>>>> > > > >>>> > > > >> > > > > > > https://dist.apache.org/repos/dist/dev/incubator/druid/0.16.0-incubating-rc3/ > > > >>>>> > > > >>>>> Staged druid.apache.org website documentation is available here: > > > >>>>> > > > >> > > > > https://druid.staged.apache.org/docs/0.16.0-incubating/design/index.html > > > >>>>> > > > >>>>> A Docker image containing the binary of the release candidate can > > be > > > >>>>> retrieved via: > > > >>>>> docker pull apache/incubator-druid:0.16.0-incubating-rc3 > > > >>>>> > > > >>>>> Release artifacts are signed with the following key: > > > >>>>> https://people.apache.org/keys/committer/cwylie.asc > > > >>>>> > > > >>>>> This key and the key of other committers can also be found in the > > > >>>> project's > > > >>>>> KEYS file here: > > > >>>>> https://dist.apache.org/repos/dist/release/incubator/druid/KEYS > > > >>>>> > > > >>>>> (If you are a committer, please feel free to add your own key to > > that > > > >>>> file > > > >>>>> by following the instructions in the file's header.) > > > >>>>> > > > >>>>> > > > >>>>> Verify checksums: > > > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-src.tar.gz | \ > > > >>>>> cut -d ' ' -f1) \ > > > >>>>> <(cat apache-druid-0.16.0-incubating-src.tar.gz.sha512 ; echo) > > > >>>>> > > > >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-bin.tar.gz | \ > > > >>>>> cut -d ' ' -f1) \ > > > >>>>> <(cat apache-druid-0.16.0-incubating-bin.tar.gz.sha512 ; echo) > > > >>>>> > > > >>>>> Verify signatures: > > > >>>>> gpg --verify apache-druid-0.16.0-incubating-src.tar.gz.asc \ > > > >>>>> apache-druid-0.16.0-incubating-src.tar.gz > > > >>>>> > > > >>>>> gpg --verify apache-druid-0.16.0-incubating-bin.tar.gz.asc \ > > > >>>>> apache-druid-0.16.0-incubating-bin.tar.gz > > > >>>>> > > > >>>>> Please review the proposed artifacts and vote. Note that Apache > has > > > >>>>> specific requirements that must be met before +1 binding votes > can > > be > > > >>>> cast > > > >>>>> by PMC members. Please refer to the policy at > > > >>>>> http://www.apache.org/legal/release-policy.html#policy for more > > > >> details. > > > >>>>> > > > >>>>> As part of the validation process, the release artifacts can be > > > >> generated > > > >>>>> from source by running: > > > >>>>> mvn clean install -Papache-release,dist -Dgpg.skip > > > >>>>> > > > >>>>> The RAT license check can be run from source by: > > > >>>>> mvn apache-rat:check -Prat > > > >>>>> > > > >>>>> This vote will be open for at least 72 hours. The vote will pass > > if a > > > >>>>> majority of at least three +1 PMC votes are cast. > > > >>>>> > > > >>>>> Once the vote has passed, the second stage vote will be called on > > the > > > >>>>> Apache Incubator mailing list to get approval from the Incubator > > PMC. > > > >>>>> > > > >>>>> [ ] +1 Release this package as Apache Druid (incubating) 0.16.0 > > > >>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the > release > > > >>>>> [ ] -1 Do not release this package because... > > > >>>>> > > > >>>>> Thanks! > > > >>>>> > > > >>>>> Apache Druid (incubating) is an effort undergoing incubation at > The > > > >>>> Apache > > > >>>>> Software Foundation (ASF), sponsored by the Apache Incubator. > > > >> Incubation > > > >>>> is > > > >>>>> required of all newly accepted projects until a further review > > > >> indicates > > > >>>>> that the infrastructure, communications, and decision making > > process > > > >> have > > > >>>>> stabilized in a manner consistent with other successful ASF > > projects. > > > >>>> While > > > >>>>> incubation status is not necessarily a reflection of the > > > >> completeness or > > > >>>>> stability of the code, it does indicate that the project has yet > to > > > >> be > > > >>>>> fully endorsed by the ASF. > > > >>>> > > > >>>> > > --------------------------------------------------------------------- > > > >>>> To unsubscribe, e-mail: [email protected] > > > >>>> For additional commands, e-mail: [email protected] > > > >>>> > > > >>>> > > > >> > > > >> > --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: [email protected] > > > >> For additional commands, e-mail: [email protected] > > > >> > > > >> > > > > > > > > >
