+1 -- Sent from my phone. Typos are a kind gift to anyone who happens to find them.
On Tue, Sep 22, 2020, 08:37 Davyd McColl <dav...@gmail.com> wrote: > Hi all > > I'd appreciate any more +1's (thanks, Remko!). I'd like to get this out > the door because it fixes confusing versioning on the released binaries (in > particular, nuget consumers) > > Thanks > -d > On 2020/09/20 22:33:49, Matt Sicker <boa...@gmail.com> wrote: > I can use whatever. > > On Sun, 20 Sep 2020 at 15:26, Ralph Goers wrote: > > > > I don’t have google meet and I can’t use Skype since Microsoft hosed my > authentication. I have zoom. My company uses Amazon Chime, which is fairly > new, as part of our product offering. I’ve sent you both emails for a > meeting using that. > > > > Ralph > > > > > On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: > > > > > > I sent a Google Meet invite to you. > > > > > > On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: > > >> > > >> I'm happy to be available at 8am my side, if that works for everyone > else. > > >> It sounds like earlier would be better, but I'm doing the morning > school > > >> run from 7am and can't guarantee I'll be back significantly before > 8am. > > >> > > >> How to do this? I have zoom and slack on my work machine, can install > > >> Skype if that's more convenient, can do google meet, I assume, though > > >> haven't ever tried, so may need a bit of a crash intro. > > >> > > >> If posting meeting details to the mailing list is not on, feel free to > > >> email me directly (: > > >> > > >> -d > > >> > > >> > > >> On September 20, 2020 20:58:29 Ralph Goers wrote: > > >> > > >>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. > > >>> However, I frequently am up until midnight so that could work. > 5-5:30 pm is > > >>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a > weekday > > >>> until 8 am but on occasion I can do earlier. > > >>> > > >>> Ralph > > >>> > > >>>> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > > >>>> > > >>>> Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I > fetch my > > >>>> son from school) > > >>>> > > >>>> -d > > >>>> > > >>>> > > >>>> On September 20, 2020 18:44:19 Matt Sicker wrote: > > >>>> > > >>>>> We’re not quite as strict as Debian for keys (though if you can > find a > > >>>>> Debian group locally, they’re great for key signing). The video > call idea > > >>>>> could work for exchanging keys. What times would you be available > to do > > >>>>> that? > > >>>>> > > >>>>> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > > >>>>> > > >>>>>> Hi Ralph > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> I think I miscommunicated: I'm not regenerating my signing key - > just the > > >>>>>> > > >>>>>> nuget API key for package upload. This forces me to log in in > nuget.org > > >>>>>> > > >>>>>> which has 2fa and then I only use that key on the cli for the > immediate > > >>>>>> upload. > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same > that I > > >>>>>> used > > >>>>>> > > >>>>>> last time. > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> -d > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> On September 20, 2020 09:01:36 Ralph Goers > > >>>>>> wrote: > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>> In the long run you don’t want to be regenerating your signing > key for > > >>>>>> > > >>>>>>> every release. The point is that you would upload the key to a > central > > >>>>>> > > >>>>>>> keystore and other people would sign it there. At ApacheCon we > would > > >>>>>> have a > > >>>>>> > > >>>>>>> key signing “party” where we recorded each others keys and then > would > > >>>>>> take > > >>>>>> > > >>>>>>> our list and update the central keystore. When people verify the > key > > >>>>>> they > > >>>>>> > > >>>>>>> can look at the keystore and see that it is signed by a number of > > >>>>>> people, > > >>>>>> > > >>>>>>> who then have their keys by a number of people and so on so you > are > > >>>>>> > > >>>>>>> building a web of trust. Sooner or later there will be someone > in that > > >>>>>> web > > >>>>>> > > >>>>>>> that you personally know and trust. > > >>>>>> > > >>>>>>> > > >>>>>> > > >>>>>>> Ralph > > >>>>>> > > >>>>>>> > > >>>>>> > > >>>>>>>> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>> Thanks Matt, I've updated the artifacts on GitHub to have > detached > > >>>>>> > > >>>>>>>> signatures. I had previously also uploaded my key to > sks-keyservers.net, > > >>>>>> > > >>>>>> > > >>>>>>>> but I've also uploaded to MIT, though search there always times > out. > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>> The document you've linked mentions face-to-face interactions > to get my > > >>>>>> key > > >>>>>> > > >>>>>>>> into the official KEYS file. Not sure how many apache people > are at my > > >>>>>> end > > >>>>>> > > >>>>>>>> of the world (Durban, South Africa), but I can do an online > meeting if > > >>>>>> that > > >>>>>> > > >>>>>>>> helps. Last release, Ralph said I should sign, so I did. I'm > new to > > >>>>>> signing > > >>>>>> > > >>>>>>>> release artifacts - I've generally relied on authentication > during > > >>>>>> upload > > >>>>>> > > >>>>>>>> as verification of authenticity, with 2FA wherever possible > (GitHub and > > >>>>>> > > >>>>>>>> NPM; nuget survives with an apikey - but for the last 2 > releases, I've > > >>>>>> > > >>>>>>>> regenerated the key on each use and only supplied it on the cli > at > > >>>>>> upload, > > >>>>>> > > >>>>>>>> so as not to store it locally) > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>> -d > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>> On September 19, 2020 22:23:41 Matt Sicker wrote: > > >>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>>>> Oh and there's a bit of an issue with the signed files: it > looks like > > >>>>>> > > >>>>>>>>> you included _signed files_ rather than detached signatures. > Thus, the > > >>>>>> > > >>>>>>>>> .asc files are only verifying themselves rather than the > accompanying > > >>>>>> > > >>>>>>>>> file. > > >>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>>>>>> There's a --detached option in gpg for this (yeah, it's always > had a > > >>>>>> bad UI). > > >>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>>>>>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> The KEYS file [1] that's linked on the download page does not > have > > >>>>>> > > >>>>>>>>>> your key in it. Neither does other KEYS file [2]. Check out > [3] for > > >>>>>> > > >>>>>>>>>> more info. > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> [1]: https://downloads.apache.org/logging/log4net/KEYS > > >>>>>> > > >>>>>>>>>> [2]: https://downloads.apache.org/logging/KEYS > > >>>>>> > > >>>>>>>>>> [3]: > https://infra.apache.org/release-signing.html#keys-policy > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > >>>>>> > > >>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>> Thanks Matt, I've done so. Hopefully that makes it easier to > verify > > >>>>>> > > >>>>>>>>>>> artifacts that I have signed. > > >>>>>> > > >>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>> -d > > >>>>>> > > >>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>> On September 18, 2020 23:11:48 Matt Sicker > > >>>>>> wrote: > > >>>>>> > > >>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> If you upload your key to your GitHub profile, that also > makes it > > >>>>>> > > >>>>>>>>>>>> simple to find. For example, just add ".gpg" to your > profile URL: > > >>>>>> > > >>>>>>>>>>>> https://github.com/fluffynuts.gpg > > >>>>>> > > >>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> On Fri, 18 Sep 2020 at 16:08, Remko Popma > > >>>>>> wrote: > > >>>>>> > > >>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>> +1 remko > > >>>>>> > > >>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker > > >>>>>> wrote: > > >>>>>> > > >>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> How about your gpg key? I don't think we've imported that > to > > >>>>>> the KEYS > > >>>>>> > > >>>>>>>>>>>>>> file as far as I can tell? > > >>>>>> > > >>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 15:53, Matt Sicker > > >>>>>> wrote: > > >>>>>> > > >>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>> Oh sorry, I didn't notice that you uploaded them there > > >>>>>> (wasn't even > > >>>>>> > > >>>>>>>>>>>>>>> aware that it was possible to be honest). > > >>>>>> > > >>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 14:43, Davyd McColl > > >>>>>> wrote: > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> Hi Matt > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> Release artifacts are available on the GitHub release > page > > >>>>>> > > >>>>>>>>>>>>>>>> (https://GitHub.com/Apache/logging-log4net/releases) - > > >>>>>> expand the > > >>>>>> > > >>>>>>>>>>>>>> assets > > >>>>>> > > >>>>>>>>>>>>>>>> list if it's collapsed. > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> I'll need someone to upload them to the downloads source > > >>>>>> as I > > >>>>>> > > >>>>>>>>>> think I > > >>>>>> > > >>>>>>>>>>>>>> don't > > >>>>>> > > >>>>>>>>>>>>>>>> have access to do so (if I'm wrong, I'd love to be > > >>>>>> corrected, > > >>>>>> > > >>>>>>>>>> because > > >>>>>> > > >>>>>>>>>>>>>> I'd > > >>>>>> > > >>>>>>>>>>>>>>>> be less of an annoyance then!). Ralph has stepped in to > > >>>>>> help here in > > >>>>>> > > >>>>>>>>>>>>>> the past. > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> -d > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>> On September 18, 2020 20:09:07 Matt Sicker < > > >>>>>> boa...@gmail.com> wrote: > > >>>>>> > > >>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>> Do you have links to the release artifacts? The > download > > >>>>>> page > > >>>>>> > > >>>>>>>>>> links > > >>>>>> > > >>>>>>>>>>>>>> to > > >>>>>> > > >>>>>>>>>>>>>>>>> the live site which doesn't have the artifacts yet > since > > >>>>>> > > >>>>>>>>>> they're not > > >>>>>> > > >>>>>>>>>>>>>>>>> released yet. :) > > >>>>>> > > >>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 09:05, Davyd McColl > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> wrote: > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>>> Hi all > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>>> I have another potential release available: 2.0.11, > > >>>>>> tagged as > > >>>>>> > > >>>>>>>>>>>>>> rc/2.0.11 > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>>> Changes are really minor: > > >>>>>> > > >>>>>>>>>>>>>>>>>> - fixed assembly versioning (all assemblies should > > >>>>>> report > > >>>>>> > > >>>>>>>>>> 2.0.11.0 > > >>>>>> > > >>>>>>>>>>>>>> as their > > >>>>>> > > >>>>>>>>>>>>>>>>>> version now) > > >>>>>> > > >>>>>>>>>>>>>>>>>> - properly dispose of StreamWriters within logging > > >>>>>> appenders > > >>>>>> > > >>>>>>>>>>>>>> (thanks to > > >>>>>> > > >>>>>>>>>>>>>>>>>> @NicholasNoise) > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>>> Binaries are up at > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>> > https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 > > >>>>>> > > >>>>>>>>>>>>>> and I've > > >>>>>> > > >>>>>>>>>>>>>>>>>> pushed to asf-staging for logging, now up at > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> https://logging.staged.apache.org/log4net/download_log4net.html > > >>>>>> > > >>>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>>> Thanks > > >>>>>> > > >>>>>>>>>>>>>>>>>> -d > > >>>>>> > > >>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>>>> -- > > >>>>>> > > >>>>>>>>>>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>>> -- > > >>>>>> > > >>>>>>>>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>>>> -- > > >>>>>> > > >>>>>>>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> > > >>>>>> > > >>>>>>>>>>>> -- > > >>>>>> > > >>>>>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> > > >>>>>> > > >>>>>>>>>> -- > > >>>>>> > > >>>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>>>>>> > > >>>>>> > > >>>>>>>>> -- > > >>>>>> > > >>>>>>>>> Matt Sicker > > >>>>>> > > >>>>>>> > > >>>>>> > > >>>>>>> > > >>>>>> > > >>>>>> -- > > >>>>> Matt Sicker > > >>> > > >>> > > > > > > > > > > > > -- > > > Matt Sicker > > > > > > > > > > -- > Matt Sicker >