I should be able to do 08:00 tomorrow morning (still night in my time zone but technically still tomorrow either way). If I weren’t on vacation at the moment, we’d have to do the other end of your schedule which would be during my typical “meetings with the other hemisphere” hours (some of my work teammates are in the same time zone as you out in EU).
On Sun, Sep 20, 2020 at 11:47 Davyd McColl <dav...@gmail.com> wrote: > Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my > > son from school) > > > > -d > > > > > > On September 20, 2020 18:44:19 Matt Sicker <boa...@gmail.com> wrote: > > > > > We’re not quite as strict as Debian for keys (though if you can find a > > > Debian group locally, they’re great for key signing). The video call idea > > > could work for exchanging keys. What times would you be available to do > > > that? > > > > > > On Sun, Sep 20, 2020 at 03:09 Davyd McColl <dav...@gmail.com> wrote: > > > > > >> Hi Ralph > > >> > > >> > > >> > > >> I think I miscommunicated: I'm not regenerating my signing key - just > the > > >> > > >> nuget API key for package upload. This forces me to log in in nuget.org > > >> > > >> which has 2fa and then I only use that key on the cli for the immediate > > >> upload. > > >> > > >> > > >> > > >> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > > >> used > > >> > > >> last time. > > >> > > >> > > >> > > >> -d > > >> > > >> > > >> > > >> > > >> > > >> On September 20, 2020 09:01:36 Ralph Goers <ralph.go...@dslextreme.com> > > >> wrote: > > >> > > >> > > >> > > >> > In the long run you don’t want to be regenerating your signing key for > > >> > > >> > every release. The point is that you would upload the key to a central > > >> > > >> > keystore and other people would sign it there. At ApacheCon we would > > >> have a > > >> > > >> > key signing “party” where we recorded each others keys and then would > > >> take > > >> > > >> > our list and update the central keystore. When people verify the key > > >> they > > >> > > >> > can look at the keystore and see that it is signed by a number of > > >> people, > > >> > > >> > who then have their keys by a number of people and so on so you are > > >> > > >> > building a web of trust. Sooner or later there will be someone in > that > > >> web > > >> > > >> > that you personally know and trust. > > >> > > >> > > > >> > > >> > Ralph > > >> > > >> > > > >> > > >> >> On Sep 19, 2020, at 11:26 PM, Davyd McColl <dav...@gmail.com> wrote: > > >> > > >> >> > > >> > > >> >> Thanks Matt, I've updated the artifacts on GitHub to have detached > > >> > > >> >> signatures. I had previously also uploaded my key to > sks-keyservers.net, > > >> > > >> > > >> >> but I've also uploaded to MIT, though search there always times out. > > >> > > >> >> > > >> > > >> >> The document you've linked mentions face-to-face interactions to get > my > > >> key > > >> > > >> >> into the official KEYS file. Not sure how many apache people are at > my > > >> end > > >> > > >> >> of the world (Durban, South Africa), but I can do an online meeting > if > > >> that > > >> > > >> >> helps. Last release, Ralph said I should sign, so I did. I'm new to > > >> signing > > >> > > >> >> release artifacts - I've generally relied on authentication during > > >> upload > > >> > > >> >> as verification of authenticity, with 2FA wherever possible (GitHub > and > > >> > > >> >> NPM; nuget survives with an apikey - but for the last 2 releases, > I've > > >> > > >> >> regenerated the key on each use and only supplied it on the cli at > > >> upload, > > >> > > >> >> so as not to store it locally) > > >> > > >> >> > > >> > > >> >> -d > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> On September 19, 2020 22:23:41 Matt Sicker <boa...@gmail.com> wrote: > > >> > > >> >> > > >> > > >> >>> Oh and there's a bit of an issue with the signed files: it looks > like > > >> > > >> >>> you included _signed files_ rather than detached signatures. Thus, > the > > >> > > >> >>> .asc files are only verifying themselves rather than the > accompanying > > >> > > >> >>> file. > > >> > > >> >>> > > >> > > >> >>> There's a --detached option in gpg for this (yeah, it's always had a > > >> bad UI). > > >> > > >> >>> > > >> > > >> >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker <boa...@gmail.com> wrote: > > >> > > >> >>>> > > >> > > >> >>>> The KEYS file [1] that's linked on the download page does not have > > >> > > >> >>>> your key in it. Neither does other KEYS file [2]. Check out [3] for > > >> > > >> >>>> more info. > > >> > > >> >>>> > > >> > > >> >>>> [1]: https://downloads.apache.org/logging/log4net/KEYS > > >> > > >> >>>> [2]: https://downloads.apache.org/logging/KEYS > > >> > > >> >>>> [3]: https://infra.apache.org/release-signing.html#keys-policy > > >> > > >> >>>> > > >> > > >> >>>> > > >> > > >> >>>> > > >> > > >> >>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl <dav...@gmail.com> > wrote: > > >> > > >> >>>> > > > >> > > >> >>>> > Thanks Matt, I've done so. Hopefully that makes it easier to > verify > > >> > > >> >>>> > artifacts that I have signed. > > >> > > >> >>>> > > > >> > > >> >>>> > -d > > >> > > >> >>>> > > > >> > > >> >>>> > > > >> > > >> >>>> > On September 18, 2020 23:11:48 Matt Sicker <boa...@gmail.com> > > >> wrote: > > >> > > >> >>>> > > > >> > > >> >>>> > > If you upload your key to your GitHub profile, that also makes > it > > >> > > >> >>>> > > simple to find. For example, just add ".gpg" to your profile > URL: > > >> > > >> >>>> > > https://github.com/fluffynuts.gpg > > >> > > >> >>>> > > > > >> > > >> >>>> > > On Fri, 18 Sep 2020 at 16:08, Remko Popma < > remko.po...@gmail.com> > > >> wrote: > > >> > > >> >>>> > >> > > >> > > >> >>>> > >> +1 remko > > >> > > >> >>>> > >> > > >> > > >> >>>> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker <boa...@gmail.com > > > > >> wrote: > > >> > > >> >>>> > >> > > >> > > >> >>>> > >> > How about your gpg key? I don't think we've imported that to > > >> the KEYS > > >> > > >> >>>> > >> > file as far as I can tell? > > >> > > >> >>>> > >> > > > >> > > >> >>>> > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker <boa...@gmail.com > > > > >> wrote: > > >> > > >> >>>> > >> > > > > >> > > >> >>>> > >> > > Oh sorry, I didn't notice that you uploaded them there > > >> (wasn't even > > >> > > >> >>>> > >> > > aware that it was possible to be honest). > > >> > > >> >>>> > >> > > > > >> > > >> >>>> > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl < > dav...@gmail.com> > > >> wrote: > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > Hi Matt > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > Release artifacts are available on the GitHub release > page > > >> > > >> >>>> > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - > > >> expand the > > >> > > >> >>>> > >> > assets > > >> > > >> >>>> > >> > > > list if it's collapsed. > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > I'll need someone to upload them to the downloads source > > >> as I > > >> > > >> >>>> think I > > >> > > >> >>>> > >> > don't > > >> > > >> >>>> > >> > > > have access to do so (if I'm wrong, I'd love to be > > >> corrected, > > >> > > >> >>>> because > > >> > > >> >>>> > >> > I'd > > >> > > >> >>>> > >> > > > be less of an annoyance then!). Ralph has stepped in to > > >> help here in > > >> > > >> >>>> > >> > the past. > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > -d > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > On September 18, 2020 20:09:07 Matt Sicker < > > >> boa...@gmail.com> wrote: > > >> > > >> >>>> > >> > > > > > >> > > >> >>>> > >> > > > > Do you have links to the release artifacts? The > download > > >> page > > >> > > >> >>>> links > > >> > > >> >>>> > >> > to > > >> > > >> >>>> > >> > > > > the live site which doesn't have the artifacts yet > since > > >> > > >> >>>> they're not > > >> > > >> >>>> > >> > > > > released yet. :) > > >> > > >> >>>> > >> > > > > > > >> > > >> >>>> > >> > > > > On Fri, 18 Sep 2020 at 09:05, Davyd McColl > > >> > > >> >>>> <davyd.mcc...@codeo.co.za> > > >> > > >> >>>> > >> > wrote: > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> > >> > > > >> Hi all > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> > >> > > > >> I have another potential release available: 2.0.11, > > >> tagged as > > >> > > >> >>>> > >> > rc/2.0.11 > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> > >> > > > >> Changes are really minor: > > >> > > >> >>>> > >> > > > >> - fixed assembly versioning (all assemblies should > > >> report > > >> > > >> >>>> 2.0.11.0 > > >> > > >> >>>> > >> > as their > > >> > > >> >>>> > >> > > > >> version now) > > >> > > >> >>>> > >> > > > >> - properly dispose of StreamWriters within logging > > >> appenders > > >> > > >> >>>> > >> > (thanks to > > >> > > >> >>>> > >> > > > >> @NicholasNoise) > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> > >> > > > >> Binaries are up at > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 > > >> > > >> >>>> > >> > and I've > > >> > > >> >>>> > >> > > > >> pushed to asf-staging for logging, now up at > > >> > > >> >>>> > >> > > > >> > > >> https://logging.staged.apache.org/log4net/download_log4net.html > > >> > > >> >>>> > >> > > > >> > > >> > > >> >>>> > >> > > > >> Thanks > > >> > > >> >>>> > >> > > > >> -d > > >> > > >> >>>> > >> > > > > > > >> > > >> >>>> > >> > > > > > > >> > > >> >>>> > >> > > > > > > >> > > >> >>>> > >> > > > > -- > > >> > > >> >>>> > >> > > > > Matt Sicker <boa...@gmail.com> > > >> > > >> >>>> > >> > > > > >> > > >> >>>> > >> > > > > >> > > >> >>>> > >> > > > > >> > > >> >>>> > >> > > -- > > >> > > >> >>>> > >> > > Matt Sicker <boa...@gmail.com> > > >> > > >> >>>> > >> > > > >> > > >> >>>> > >> > > > >> > > >> >>>> > >> > > > >> > > >> >>>> > >> > -- > > >> > > >> >>>> > >> > Matt Sicker <boa...@gmail.com> > > >> > > >> >>>> > >> > > > >> > > >> >>>> > > > > >> > > >> >>>> > > > > >> > > >> >>>> > > > > >> > > >> >>>> > > -- > > >> > > >> >>>> > > Matt Sicker <boa...@gmail.com> > > >> > > >> >>>> > > >> > > >> >>>> > > >> > > >> >>>> > > >> > > >> >>>> -- > > >> > > >> >>>> Matt Sicker <boa...@gmail.com> > > >> > > >> >>> > > >> > > >> >>> > > >> > > >> >>> > > >> > > >> >>> -- > > >> > > >> >>> Matt Sicker <boa...@gmail.com> > > >> > > >> > > > >> > > >> > > > >> > > >> -- > > > Matt Sicker <boa...@gmail.com> > > -- Matt Sicker <boa...@gmail.com>
