I haven't seen another project include a KEYS file in the main release itself, and since the KEYS file hasn't changed I just linked to the one in dist. They either seem to include it at the root level (so https://dist.apache.org/repos/dist/dev/metron/ for us) or they don't include it at all (except maybe during releases and it just appeared empty when I looked).
The management of the KEYS file came up in relation to the plugin repo and in the original PR for the RC script, but nobody seems to really have strong opinions. Specifically, we can trivially include it with the main repo, but not the plugin repo. We'd need to pull the KEYS file from somewhere with the plugin and if that's only getting updated on release of the main repo, it causes friction if we're only releasing the plugin and changing release managers (who need to add the key to the file). I'm happy to revisit this with a more general solution (e.g. having a script to publish just the KEYS file?) . Given that this causes problems with the RC check, it seems like we need to update something one way or the other. It might just be updating the RC check script in the short term. On Tue, Dec 11, 2018 at 3:20 PM Nick Allen <n...@nickallen.org> wrote: > Should there be a KEYS file with the release candidate at > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/KEYS? Or was that > changed to https://dist.apache.org/repos/dist/release/metron/KEYS ? > > ``` > $ ~/Development/metron/dev-utilities/release-utils/metron-rc-check > --version=0.7.0 --candidate=1 > Metron Version 0.7.0 > Release Candidate rc1 > Metron RC Distribution Root is > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1 > Working directory /Users/nallen/tmp/metron-0.7.0-rc1 > Downloading https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/KEYS > --2018-12-11 > <https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/KEYS--2018-12-11> > 15:18:49-- > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/KEYS > Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... > connected. > HTTP request sent, awaiting response... 404 Not Found > 2018-12-11 15:18:50 ERROR 404: Not Found. > > [ERROR] Failed to download > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/KEYS > ``` > > On Tue, Dec 11, 2018 at 2:43 PM Justin Leet <l...@apache.org> wrote: > > > This is a call to vote on releasing Apache Metron 0.7.0 > > > > Full list of changes in this release: > > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/CHANGES > > The tag to be voted upon is: > > apache-metron-0.7.0-rc1 > > > > The source archives being voted upon can be found here: > > > > > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/apache-metron-0.7.0-rc1.tar.gz > > > > Other release files, signatures and digests can be found here: > > https://dist.apache.org/repos/dist/dev/metron/0.7.0-RC1/ > > > > The release artifacts are signed with the following key: > > https://dist.apache.org/repos/dist/release/metron/KEYS > > Please vote on releasing this package as Apache Metron 0.7.0-RC1 > > > > When voting, please list the actions taken to verify the release. > > > > Recommended build validation and verification instructions are posted > > here: > > https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds > > > > This vote will be open for until 3pm EDT on Friday December 14 2018. > > > > [ ] +1 Release this package as Apache Metron 0.7.0-RC1 > > > > [ ] 0 No opinion > > > > [ ] -1 Do not release this package because... > > >
