Hi,
> Xiangdong: But I wonder even all committers having signed PGP keys, how to
> use that in the release verification stage?
Hope these two links [1][2] helpful.
From my understanding, checking signatures include two steps.
The first step is to verify the connection of the file and the key. The second
step is to verify the connection of the key and the real person.
The second step is where the "trust path" comes into play - either I signed the
key or someone I trusted signed the key.
> Chris: Would be great if the web-of trust could be extended to IoTDB RMs ...
+1. I realize I haven't performed the second step yet.
[1] https://www.apache.org/info/verification.html#CheckingSignatures
[2] https://gnupg.org/download/integrity_check.html
Regards,
Lei Rui
On 6/23/2020 23:24,Xiangdong Huang wrote:
Hi Chris,
I personally would be a little hesitant to do it remotely ;-)
Well, I agree to doing that face to face in a physical meeting, but it is a
little hard in the current COVID-19 situation... (so we can postpone that.)
But I wonder even all committers having signed PGP keys, how to use that in
the release verification stage?
Best,
---
Xiangdong Huang
School of Software, Tsinghua University
黄向东
清华大学 软件学院
Christofer Dutz 于2020年6月23日周二 下午11:14写道:
Hi Xiangdong,
well usually a key-signging is usually a physical meeting where you go
with your passport to be 100% sure you're talking to the right person and
signing the right person's key.
I personally would be a little hesitant to do it remotely ;-)
https://www.youtube.com/watch?v=dJJLqXVpVGY
If you folks meet in person, there should be no problem. However it would
only be useful, if there is some link to other Apache folks (Some of you
have keys signed by other Apache folks)
Chris
Am 23.06.20, 17:04 schrieb "Xiangdong Huang" :
Hi all,
Thank all of you to attend the vote (maybe this is the first time that
we
receive more than 15 votes).
It is due to all of our mentors (and IPMCs) keep to appealing for more
PPMCs joining it.
It is also due to all active contributors in the community.
By the way, I notice that Chris gives the advise (I know Chris just
finished a milestone of PLC4x and then immediately began to verify
IoTDB's
release):
Would be great if the web-of trust could be extended to IoTDB RMs ...
As I know most of these guys, I can sign their pgp key, but how to use
their pgp key in the releasing verification stage?
Best,
---
Xiangdong Huang
School of Software, Tsinghua University
黄向东
清华大学 软件学院
Xiangdong Huang 于2020年6月22日周一 下午4:30写道:
Hi,
We have received 3 PPMC votes.
Will there be more PPMCs voting on this?
Best,
---
Xiangdong Huang
School of Software, Tsinghua University
黄向东
清华大学 软件学院
Xiangdong Huang 于2020年6月19日周五 下午9:40写道:
Hi,
The binary NOTICE is very likely to be missing content from other
Apache licensed NOTICE files.
Are there some more hints for this?
Best,
---
Xiangdong Huang
School of Software, Tsinghua University
黄向东
清华大学 软件学院
Xiangdong Huang 于2020年6月17日周三 下午8:08写道:
Hi all,
We can discuss the issue of releasing v0.10.0 RC4 here.
This is the 4th release candidate of v0.10.0, I send the vote mail
after
a 6 hours cooling-off period after uploading the files to the dev
SVN
repo... I hope this RC has no issues anymore...
Of course, if there is -1, I will release RC5 :)
Best,
---
Xiangdong Huang
School of Software, Tsinghua University
黄向东
清华大学 软件学院