+1 On Tue, Sep 22, 2020 at 04:23 Dominik Psenner <dpsen...@gmail.com> wrote:
> +1 > > > > -- > > Sent from my phone. Typos are a kind gift to anyone who happens to find > > them. > > > > On Tue, Sep 22, 2020, 08:37 Davyd McColl <dav...@gmail.com> wrote: > > > > > Hi all > > > > > > I'd appreciate any more +1's (thanks, Remko!). I'd like to get this out > > > the door because it fixes confusing versioning on the released binaries > (in > > > particular, nuget consumers) > > > > > > Thanks > > > -d > > > On 2020/09/20 22:33:49, Matt Sicker <boa...@gmail.com> wrote: > > > I can use whatever. > > > > > > On Sun, 20 Sep 2020 at 15:26, Ralph Goers wrote: > > > > > > > > I don’t have google meet and I can’t use Skype since Microsoft hosed my > > > authentication. I have zoom. My company uses Amazon Chime, which is > fairly > > > new, as part of our product offering. I’ve sent you both emails for a > > > meeting using that. > > > > > > > > Ralph > > > > > > > > > On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: > > > > > > > > > > I sent a Google Meet invite to you. > > > > > > > > > > On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: > > > > >> > > > > >> I'm happy to be available at 8am my side, if that works for everyone > > > else. > > > > >> It sounds like earlier would be better, but I'm doing the morning > > > school > > > > >> run from 7am and can't guarantee I'll be back significantly before > > > 8am. > > > > >> > > > > >> How to do this? I have zoom and slack on my work machine, can > install > > > > >> Skype if that's more convenient, can do google meet, I assume, > though > > > > >> haven't ever tried, so may need a bit of a crash intro. > > > > >> > > > > >> If posting meeting details to the mailing list is not on, feel free > to > > > > >> email me directly (: > > > > >> > > > > >> -d > > > > >> > > > > >> > > > > >> On September 20, 2020 20:58:29 Ralph Goers wrote: > > > > >> > > > > >>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. > > > > >>> However, I frequently am up until midnight so that could work. > > > 5-5:30 pm is > > > > >>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a > > > weekday > > > > >>> until 8 am but on occasion I can do earlier. > > > > >>> > > > > >>> Ralph > > > > >>> > > > > >>>> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > > > > >>>> > > > > >>>> Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I > > > fetch my > > > > >>>> son from school) > > > > >>>> > > > > >>>> -d > > > > >>>> > > > > >>>> > > > > >>>> On September 20, 2020 18:44:19 Matt Sicker wrote: > > > > >>>> > > > > >>>>> We’re not quite as strict as Debian for keys (though if you can > > > find a > > > > >>>>> Debian group locally, they’re great for key signing). The video > > > call idea > > > > >>>>> could work for exchanging keys. What times would you be available > > > to do > > > > >>>>> that? > > > > >>>>> > > > > >>>>> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > > > > >>>>> > > > > >>>>>> Hi Ralph > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> I think I miscommunicated: I'm not regenerating my signing key - > > > just the > > > > >>>>>> > > > > >>>>>> nuget API key for package upload. This forces me to log in in > > > nuget.org > > > > >>>>>> > > > > >>>>>> which has 2fa and then I only use that key on the cli for the > > > immediate > > > > >>>>>> upload. > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same > > > that I > > > > >>>>>> used > > > > >>>>>> > > > > >>>>>> last time. > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> -d > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> On September 20, 2020 09:01:36 Ralph Goers > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>> > > > > >>>>>> > > > > >>>>>>> In the long run you don’t want to be regenerating your signing > > > key for > > > > >>>>>> > > > > >>>>>>> every release. The point is that you would upload the key to a > > > central > > > > >>>>>> > > > > >>>>>>> keystore and other people would sign it there. At ApacheCon we > > > would > > > > >>>>>> have a > > > > >>>>>> > > > > >>>>>>> key signing “party” where we recorded each others keys and then > > > would > > > > >>>>>> take > > > > >>>>>> > > > > >>>>>>> our list and update the central keystore. When people verify > the > > > key > > > > >>>>>> they > > > > >>>>>> > > > > >>>>>>> can look at the keystore and see that it is signed by a number > of > > > > >>>>>> people, > > > > >>>>>> > > > > >>>>>>> who then have their keys by a number of people and so on so you > > > are > > > > >>>>>> > > > > >>>>>>> building a web of trust. Sooner or later there will be someone > > > in that > > > > >>>>>> web > > > > >>>>>> > > > > >>>>>>> that you personally know and trust. > > > > >>>>>> > > > > >>>>>>> > > > > >>>>>> > > > > >>>>>>> Ralph > > > > >>>>>> > > > > >>>>>>> > > > > >>>>>> > > > > >>>>>>>> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>> Thanks Matt, I've updated the artifacts on GitHub to have > > > detached > > > > >>>>>> > > > > >>>>>>>> signatures. I had previously also uploaded my key to > > > sks-keyservers.net, > > > > >>>>>> > > > > >>>>>> > > > > >>>>>>>> but I've also uploaded to MIT, though search there always > times > > > out. > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>> The document you've linked mentions face-to-face interactions > > > to get my > > > > >>>>>> key > > > > >>>>>> > > > > >>>>>>>> into the official KEYS file. Not sure how many apache people > > > are at my > > > > >>>>>> end > > > > >>>>>> > > > > >>>>>>>> of the world (Durban, South Africa), but I can do an online > > > meeting if > > > > >>>>>> that > > > > >>>>>> > > > > >>>>>>>> helps. Last release, Ralph said I should sign, so I did. I'm > > > new to > > > > >>>>>> signing > > > > >>>>>> > > > > >>>>>>>> release artifacts - I've generally relied on authentication > > > during > > > > >>>>>> upload > > > > >>>>>> > > > > >>>>>>>> as verification of authenticity, with 2FA wherever possible > > > (GitHub and > > > > >>>>>> > > > > >>>>>>>> NPM; nuget survives with an apikey - but for the last 2 > > > releases, I've > > > > >>>>>> > > > > >>>>>>>> regenerated the key on each use and only supplied it on the > cli > > > at > > > > >>>>>> upload, > > > > >>>>>> > > > > >>>>>>>> so as not to store it locally) > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>> -d > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>> On September 19, 2020 22:23:41 Matt Sicker wrote: > > > > >>>>>> > > > > >>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> Oh and there's a bit of an issue with the signed files: it > > > looks like > > > > >>>>>> > > > > >>>>>>>>> you included _signed files_ rather than detached signatures. > > > Thus, the > > > > >>>>>> > > > > >>>>>>>>> .asc files are only verifying themselves rather than the > > > accompanying > > > > >>>>>> > > > > >>>>>>>>> file. > > > > >>>>>> > > > > >>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> There's a --detached option in gpg for this (yeah, it's > always > > > had a > > > > >>>>>> bad UI). > > > > >>>>>> > > > > >>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> The KEYS file [1] that's linked on the download page does > not > > > have > > > > >>>>>> > > > > >>>>>>>>>> your key in it. Neither does other KEYS file [2]. Check out > > > [3] for > > > > >>>>>> > > > > >>>>>>>>>> more info. > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> [1]: https://downloads.apache.org/logging/log4net/KEYS > > > > >>>>>> > > > > >>>>>>>>>> [2]: https://downloads.apache.org/logging/KEYS > > > > >>>>>> > > > > >>>>>>>>>> [3]: > > > https://infra.apache.org/release-signing.html#keys-policy > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > > > >>>>>> > > > > >>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>> Thanks Matt, I've done so. Hopefully that makes it easier > to > > > verify > > > > >>>>>> > > > > >>>>>>>>>>> artifacts that I have signed. > > > > >>>>>> > > > > >>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>> -d > > > > >>>>>> > > > > >>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>> On September 18, 2020 23:11:48 Matt Sicker > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> If you upload your key to your GitHub profile, that also > > > makes it > > > > >>>>>> > > > > >>>>>>>>>>>> simple to find. For example, just add ".gpg" to your > > > profile URL: > > > > >>>>>> > > > > >>>>>>>>>>>> https://github.com/fluffynuts.gpg > > > > >>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> On Fri, 18 Sep 2020 at 16:08, Remko Popma > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>> +1 remko > > > > >>>>>> > > > > >>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> How about your gpg key? I don't think we've imported > that > > > to > > > > >>>>>> the KEYS > > > > >>>>>> > > > > >>>>>>>>>>>>>> file as far as I can tell? > > > > >>>>>> > > > > >>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 15:53, Matt Sicker > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>> Oh sorry, I didn't notice that you uploaded them there > > > > >>>>>> (wasn't even > > > > >>>>>> > > > > >>>>>>>>>>>>>>> aware that it was possible to be honest). > > > > >>>>>> > > > > >>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 14:43, Davyd McColl > > > > >>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> Hi Matt > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> Release artifacts are available on the GitHub release > > > page > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> (https://GitHub.com/Apache/logging-log4net/releases) > - > > > > >>>>>> expand the > > > > >>>>>> > > > > >>>>>>>>>>>>>> assets > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> list if it's collapsed. > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> I'll need someone to upload them to the downloads > source > > > > >>>>>> as I > > > > >>>>>> > > > > >>>>>>>>>> think I > > > > >>>>>> > > > > >>>>>>>>>>>>>> don't > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> have access to do so (if I'm wrong, I'd love to be > > > > >>>>>> corrected, > > > > >>>>>> > > > > >>>>>>>>>> because > > > > >>>>>> > > > > >>>>>>>>>>>>>> I'd > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> be less of an annoyance then!). Ralph has stepped in > to > > > > >>>>>> help here in > > > > >>>>>> > > > > >>>>>>>>>>>>>> the past. > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> -d > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> On September 18, 2020 20:09:07 Matt Sicker < > > > > >>>>>> boa...@gmail.com> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> Do you have links to the release artifacts? The > > > download > > > > >>>>>> page > > > > >>>>>> > > > > >>>>>>>>>> links > > > > >>>>>> > > > > >>>>>>>>>>>>>> to > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> the live site which doesn't have the artifacts yet > > > since > > > > >>>>>> > > > > >>>>>>>>>> they're not > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> released yet. :) > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 09:05, Davyd McColl > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> wrote: > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> Hi all > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> I have another potential release available: 2.0.11, > > > > >>>>>> tagged as > > > > >>>>>> > > > > >>>>>>>>>>>>>> rc/2.0.11 > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> Changes are really minor: > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> - fixed assembly versioning (all assemblies should > > > > >>>>>> report > > > > >>>>>> > > > > >>>>>>>>>> 2.0.11.0 > > > > >>>>>> > > > > >>>>>>>>>>>>>> as their > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> version now) > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> - properly dispose of StreamWriters within logging > > > > >>>>>> appenders > > > > >>>>>> > > > > >>>>>>>>>>>>>> (thanks to > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> @NicholasNoise) > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> Binaries are up at > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> > > > https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 > > > > >>>>>> > > > > >>>>>>>>>>>>>> and I've > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> pushed to asf-staging for logging, now up at > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> https://logging.staged.apache.org/log4net/download_log4net.html > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> Thanks > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>>> -d > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>>>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> > > > > >>>>>> > > > > >>>>>>>>> -- > > > > >>>>>> > > > > >>>>>>>>> Matt Sicker > > > > >>>>>> > > > > >>>>>>> > > > > >>>>>> > > > > >>>>>>> > > > > >>>>>> > > > > >>>>>> -- > > > > >>>>> Matt Sicker > > > > >>> > > > > >>> > > > > > > > > > > > > > > > > > > > > -- > > > > > Matt Sicker > > > > > > > > > > > > > > > > > > > > > > -- > > > Matt Sicker > > > > > -- Matt Sicker <boa...@gmail.com>