Re: [VOTE] [log4net] Release 2.0.11
In the long run you don’t want to be regenerating your signing key for every release. The point is that you would upload the key to a central keystore and other people would sign it there. At ApacheCon we would have a key signing “party” where we recorded each others keys and then would take our list and update the central keystore. When people verify the key they can look at the keystore and see that it is signed by a number of people, who then have their keys by a number of people and so on so you are building a web of trust. Sooner or later there will be someone in that web that you personally know and trust. Ralph > On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > Thanks Matt, I've updated the artifacts on GitHub to have detached > signatures. I had previously also uploaded my key to sks-keyservers.net, but > I've also uploaded to MIT, though search there always times out. > > The document you've linked mentions face-to-face interactions to get my key > into the official KEYS file. Not sure how many apache people are at my end of > the world (Durban, South Africa), but I can do an online meeting if that > helps. Last release, Ralph said I should sign, so I did. I'm new to signing > release artifacts - I've generally relied on authentication during upload as > verification of authenticity, with 2FA wherever possible (GitHub and NPM; > nuget survives with an apikey - but for the last 2 releases, I've regenerated > the key on each use and only supplied it on the cli at upload, so as not to > store it locally) > > -d > > > On September 19, 2020 22:23:41 Matt Sicker wrote: > >> Oh and there's a bit of an issue with the signed files: it looks like >> you included _signed files_ rather than detached signatures. Thus, the >> .asc files are only verifying themselves rather than the accompanying >> file. >> >> There's a --detached option in gpg for this (yeah, it's always had a bad UI). >> >> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: >>> >>> The KEYS file [1] that's linked on the download page does not have >>> your key in it. Neither does other KEYS file [2]. Check out [3] for >>> more info. >>> >>> [1]: https://downloads.apache.org/logging/log4net/KEYS >>> [2]: https://downloads.apache.org/logging/KEYS >>> [3]: https://infra.apache.org/release-signing.html#keys-policy >>> >>> >>> >>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: >>> > >>> > Thanks Matt, I've done so. Hopefully that makes it easier to verify >>> > artifacts that I have signed. >>> > >>> > -d >>> > >>> > >>> > On September 18, 2020 23:11:48 Matt Sicker wrote: >>> > >>> > > If you upload your key to your GitHub profile, that also makes it >>> > > simple to find. For example, just add ".gpg" to your profile URL: >>> > > https://github.com/fluffynuts.gpg >>> > > >>> > > On Fri, 18 Sep 2020 at 16:08, Remko Popma wrote: >>> > >> >>> > >> +1 remko >>> > >> >>> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker wrote: >>> > >> >>> > >> > How about your gpg key? I don't think we've imported that to the KEYS >>> > >> > file as far as I can tell? >>> > >> > >>> > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker wrote: >>> > >> > > >>> > >> > > Oh sorry, I didn't notice that you uploaded them there (wasn't even >>> > >> > > aware that it was possible to be honest). >>> > >> > > >>> > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl >>> > >> > > wrote: >>> > >> > > > >>> > >> > > > Hi Matt >>> > >> > > > >>> > >> > > > Release artifacts are available on the GitHub release page >>> > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - expand the >>> > >> > assets >>> > >> > > > list if it's collapsed. >>> > >> > > > >>> > >> > > > I'll need someone to upload them to the downloads source as I >>> > >> > > > think I >>> > >> > don't >>> > >> > > > have access to do so (if I'm wrong, I'd love to be corrected, >>> > >> > > > because >>> > >> > I'd >>> > >> > > > be less of an annoyance then!). Ralph has stepped in to help >>> > >> > > > here in >>> > >> > the past. >>> > >> > > > >>> > >> > > > -d >>> > >> > > > >>> > >> > > > >>> > >> > > > On September 18, 2020 20:09:07 Matt Sicker >>> > >> > > > wrote: >>> > >> > > > >>> > >> > > > > Do you have links to the release artifacts? The download page >>> > >> > > > > links >>> > >> > to >>> > >> > > > > the live site which doesn't have the artifacts yet since >>> > >> > > > > they're not >>> > >> > > > > released yet. :) >>> > >> > > > > >>> > >> > > > > On Fri, 18 Sep 2020 at 09:05, Davyd McColl >>> > >> > > > > >>> > >> > wrote: >>> > >> > > > >> >>> > >> > > > >> Hi all >>> > >> > > > >> >>> > >> > > > >> I have another potential release available: 2.0.11, tagged as >>> > >> > rc/2.0.11 >>> > >> > > > >> >>> > >> > > > >> Changes are really minor: >>> > >> > > > >> - fixed assembly versioning (all assemblies should report >>> > >> > > > >> 2.0.11.0 >>> > >> > as their >>> > >> > > > >> version now) >>> > >> > > > >> - properly dispose
Re: [VOTE] [log4net] Release 2.0.11
Hi Ralph I think I miscommunicated: I'm not regenerating my signing key - just the nuget API key for package upload. This forces me to log in in nuget.org which has 2fa and then I only use that key on the cli for the immediate upload. My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I used last time. -d On September 20, 2020 09:01:36 Ralph Goers wrote: In the long run you don’t want to be regenerating your signing key for every release. The point is that you would upload the key to a central keystore and other people would sign it there. At ApacheCon we would have a key signing “party” where we recorded each others keys and then would take our list and update the central keystore. When people verify the key they can look at the keystore and see that it is signed by a number of people, who then have their keys by a number of people and so on so you are building a web of trust. Sooner or later there will be someone in that web that you personally know and trust. Ralph On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: Thanks Matt, I've updated the artifacts on GitHub to have detached signatures. I had previously also uploaded my key to sks-keyservers.net, but I've also uploaded to MIT, though search there always times out. The document you've linked mentions face-to-face interactions to get my key into the official KEYS file. Not sure how many apache people are at my end of the world (Durban, South Africa), but I can do an online meeting if that helps. Last release, Ralph said I should sign, so I did. I'm new to signing release artifacts - I've generally relied on authentication during upload as verification of authenticity, with 2FA wherever possible (GitHub and NPM; nuget survives with an apikey - but for the last 2 releases, I've regenerated the key on each use and only supplied it on the cli at upload, so as not to store it locally) -d On September 19, 2020 22:23:41 Matt Sicker wrote: Oh and there's a bit of an issue with the signed files: it looks like you included _signed files_ rather than detached signatures. Thus, the .asc files are only verifying themselves rather than the accompanying file. There's a --detached option in gpg for this (yeah, it's always had a bad UI). On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: The KEYS file [1] that's linked on the download page does not have your key in it. Neither does other KEYS file [2]. Check out [3] for more info. [1]: https://downloads.apache.org/logging/log4net/KEYS [2]: https://downloads.apache.org/logging/KEYS [3]: https://infra.apache.org/release-signing.html#keys-policy On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > Thanks Matt, I've done so. Hopefully that makes it easier to verify > artifacts that I have signed. > > -d > > > On September 18, 2020 23:11:48 Matt Sicker wrote: > > > If you upload your key to your GitHub profile, that also makes it > > simple to find. For example, just add ".gpg" to your profile URL: > > https://github.com/fluffynuts.gpg > > > > On Fri, 18 Sep 2020 at 16:08, Remko Popma wrote: > >> > >> +1 remko > >> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker wrote: > >> > >> > How about your gpg key? I don't think we've imported that to the KEYS > >> > file as far as I can tell? > >> > > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker wrote: > >> > > > >> > > Oh sorry, I didn't notice that you uploaded them there (wasn't even > >> > > aware that it was possible to be honest). > >> > > > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl wrote: > >> > > > > >> > > > Hi Matt > >> > > > > >> > > > Release artifacts are available on the GitHub release page > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - expand the > >> > assets > >> > > > list if it's collapsed. > >> > > > > >> > > > I'll need someone to upload them to the downloads source as I think I > >> > don't > >> > > > have access to do so (if I'm wrong, I'd love to be corrected, because > >> > I'd > >> > > > be less of an annoyance then!). Ralph has stepped in to help here in > >> > the past. > >> > > > > >> > > > -d > >> > > > > >> > > > > >> > > > On September 18, 2020 20:09:07 Matt Sicker wrote: > >> > > > > >> > > > > Do you have links to the release artifacts? The download page links > >> > to > >> > > > > the live site which doesn't have the artifacts yet since they're not > >> > > > > released yet. :) > >> > > > > > >> > > > > On Fri, 18 Sep 2020 at 09:05, Davyd McColl > >> > wrote: > >> > > > >> > >> > > > >> Hi all > >> > > > >> > >> > > > >> I have another potential release available: 2.0.11, tagged as > >> > rc/2.0.11 > >> > > > >> > >> > > > >> Changes are really minor: > >> > > > >> - fixed assembly versioning (all assemblies should report 2.0.11.0 > >> > as their > >> > > > >> version now) > >> > > > >> - properly dispose of StreamWriters within logging appenders > >> > (thanks to > >> > > > >> @NicholasNoise) > >> > > > >> > >> > > > >> Binar
Re: [log4cxx] Site / Documentation thoughts
Guten Tag Matt Sicker, am Samstag, 19. September 2020 um 22:24 schrieben Sie: > The files that get published are now stored in git repos rather than > the svn repos. Subversion is used for artifacts only right now. This means the current process to publish the site for log4cxx is broken anyway and needs to be changed. It heavily relies on SVN-operations currently. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
Re: [log4cxx] Site / Documentation thoughts
Guten Tag Robert Middleton, am Sonntag, 20. September 2020 um 03:47 schrieben Sie: > Perhaps, although that does require doxygen to be installed. My > thought on that though > is that you only want to generate API docs on every commit if they are > clearly for > bleeding-edge uses; generally, people should be using the > documentation for the release > that they are using. Publishing online is bleeding-edge per definition, that's why the different directories "latest|next|old_stable" exist: Within each of those, APIDOCs can be as current as the latest commit to their associated branches. No need to maintain/update/generate that manually in theory. > Anyway, I've done some conversion that you can see here: > https://rm5248.com/log4cxx/apidocs/index.html How things look like is pretty much a matter of taste, but the overall aproach to move content to markdown and render that somehow seems like the correct thing to do. In the end it's pretty much the same approach like is done with "package-info.java" for JAVADOC in the end in my opinion. There are some projects which only publish contents like how to use something etc. that way as well. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
Re: [VOTE] [log4net] Release 2.0.11
We’re not quite as strict as Debian for keys (though if you can find a Debian group locally, they’re great for key signing). The video call idea could work for exchanging keys. What times would you be available to do that? On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > Hi Ralph > > > > I think I miscommunicated: I'm not regenerating my signing key - just the > > nuget API key for package upload. This forces me to log in in nuget.org > > which has 2fa and then I only use that key on the cli for the immediate > upload. > > > > My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > used > > last time. > > > > -d > > > > > > On September 20, 2020 09:01:36 Ralph Goers > wrote: > > > > > In the long run you don’t want to be regenerating your signing key for > > > every release. The point is that you would upload the key to a central > > > keystore and other people would sign it there. At ApacheCon we would > have a > > > key signing “party” where we recorded each others keys and then would > take > > > our list and update the central keystore. When people verify the key > they > > > can look at the keystore and see that it is signed by a number of > people, > > > who then have their keys by a number of people and so on so you are > > > building a web of trust. Sooner or later there will be someone in that > web > > > that you personally know and trust. > > > > > > Ralph > > > > > >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > >> > > >> Thanks Matt, I've updated the artifacts on GitHub to have detached > > >> signatures. I had previously also uploaded my key to sks-keyservers.net, > > > >> but I've also uploaded to MIT, though search there always times out. > > >> > > >> The document you've linked mentions face-to-face interactions to get my > key > > >> into the official KEYS file. Not sure how many apache people are at my > end > > >> of the world (Durban, South Africa), but I can do an online meeting if > that > > >> helps. Last release, Ralph said I should sign, so I did. I'm new to > signing > > >> release artifacts - I've generally relied on authentication during > upload > > >> as verification of authenticity, with 2FA wherever possible (GitHub and > > >> NPM; nuget survives with an apikey - but for the last 2 releases, I've > > >> regenerated the key on each use and only supplied it on the cli at > upload, > > >> so as not to store it locally) > > >> > > >> -d > > >> > > >> > > >> On September 19, 2020 22:23:41 Matt Sicker wrote: > > >> > > >>> Oh and there's a bit of an issue with the signed files: it looks like > > >>> you included _signed files_ rather than detached signatures. Thus, the > > >>> .asc files are only verifying themselves rather than the accompanying > > >>> file. > > >>> > > >>> There's a --detached option in gpg for this (yeah, it's always had a > bad UI). > > >>> > > >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > > > > The KEYS file [1] that's linked on the download page does not have > > your key in it. Neither does other KEYS file [2]. Check out [3] for > > more info. > > > > [1]: https://downloads.apache.org/logging/log4net/KEYS > > [2]: https://downloads.apache.org/logging/KEYS > > [3]: https://infra.apache.org/release-signing.html#keys-policy > > > > > > > > On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > > > > > Thanks Matt, I've done so. Hopefully that makes it easier to verify > > > artifacts that I have signed. > > > > > > -d > > > > > > > > > On September 18, 2020 23:11:48 Matt Sicker > wrote: > > > > > > > If you upload your key to your GitHub profile, that also makes it > > > > simple to find. For example, just add ".gpg" to your profile URL: > > > > https://github.com/fluffynuts.gpg > > > > > > > > On Fri, 18 Sep 2020 at 16:08, Remko Popma > wrote: > > > >> > > > >> +1 remko > > > >> > > > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker > wrote: > > > >> > > > >> > How about your gpg key? I don't think we've imported that to > the KEYS > > > >> > file as far as I can tell? > > > >> > > > > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker > wrote: > > > >> > > > > > >> > > Oh sorry, I didn't notice that you uploaded them there > (wasn't even > > > >> > > aware that it was possible to be honest). > > > >> > > > > > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl > wrote: > > > >> > > > > > > >> > > > Hi Matt > > > >> > > > > > > >> > > > Release artifacts are available on the GitHub release page > > > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - > expand the > > > >> > assets > > > >> > > > list if it's collapsed. > > > >> > > > > > > >> > > > I'll need someone to upload them to the downloads source > as I > > think I > > > >> > don't > > > >>
Re: [VOTE] [log4net] Release 2.0.11
Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my son from school) -d On September 20, 2020 18:44:19 Matt Sicker wrote: We’re not quite as strict as Debian for keys (though if you can find a Debian group locally, they’re great for key signing). The video call idea could work for exchanging keys. What times would you be available to do that? On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: Hi Ralph I think I miscommunicated: I'm not regenerating my signing key - just the nuget API key for package upload. This forces me to log in in nuget.org which has 2fa and then I only use that key on the cli for the immediate upload. My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I used last time. -d On September 20, 2020 09:01:36 Ralph Goers wrote: > In the long run you don’t want to be regenerating your signing key for > every release. The point is that you would upload the key to a central > keystore and other people would sign it there. At ApacheCon we would have a > key signing “party” where we recorded each others keys and then would take > our list and update the central keystore. When people verify the key they > can look at the keystore and see that it is signed by a number of people, > who then have their keys by a number of people and so on so you are > building a web of trust. Sooner or later there will be someone in that web > that you personally know and trust. > > Ralph > >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: >> >> Thanks Matt, I've updated the artifacts on GitHub to have detached >> signatures. I had previously also uploaded my key to sks-keyservers.net, >> but I've also uploaded to MIT, though search there always times out. >> >> The document you've linked mentions face-to-face interactions to get my key >> into the official KEYS file. Not sure how many apache people are at my end >> of the world (Durban, South Africa), but I can do an online meeting if that >> helps. Last release, Ralph said I should sign, so I did. I'm new to signing >> release artifacts - I've generally relied on authentication during upload >> as verification of authenticity, with 2FA wherever possible (GitHub and >> NPM; nuget survives with an apikey - but for the last 2 releases, I've >> regenerated the key on each use and only supplied it on the cli at upload, >> so as not to store it locally) >> >> -d >> >> >> On September 19, 2020 22:23:41 Matt Sicker wrote: >> >>> Oh and there's a bit of an issue with the signed files: it looks like >>> you included _signed files_ rather than detached signatures. Thus, the >>> .asc files are only verifying themselves rather than the accompanying >>> file. >>> >>> There's a --detached option in gpg for this (yeah, it's always had a bad UI). >>> >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: The KEYS file [1] that's linked on the download page does not have your key in it. Neither does other KEYS file [2]. Check out [3] for more info. [1]: https://downloads.apache.org/logging/log4net/KEYS [2]: https://downloads.apache.org/logging/KEYS [3]: https://infra.apache.org/release-signing.html#keys-policy On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > Thanks Matt, I've done so. Hopefully that makes it easier to verify > artifacts that I have signed. > > -d > > > On September 18, 2020 23:11:48 Matt Sicker wrote: > > > If you upload your key to your GitHub profile, that also makes it > > simple to find. For example, just add ".gpg" to your profile URL: > > https://github.com/fluffynuts.gpg > > > > On Fri, 18 Sep 2020 at 16:08, Remko Popma wrote: > >> > >> +1 remko > >> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker wrote: > >> > >> > How about your gpg key? I don't think we've imported that to the KEYS > >> > file as far as I can tell? > >> > > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker wrote: > >> > > > >> > > Oh sorry, I didn't notice that you uploaded them there (wasn't even > >> > > aware that it was possible to be honest). > >> > > > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl wrote: > >> > > > > >> > > > Hi Matt > >> > > > > >> > > > Release artifacts are available on the GitHub release page > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - expand the > >> > assets > >> > > > list if it's collapsed. > >> > > > > >> > > > I'll need someone to upload them to the downloads source as I think I > >> > don't > >> > > > have access to do so (if I'm wrong, I'd love to be corrected, because > >> > I'd > >> > > > be less of an annoyance then!). Ralph has stepped in to help here in > >> > the past. >
Re: [VOTE] [log4net] Release 2.0.11
I should be able to do 08:00 tomorrow morning (still night in my time zone but technically still tomorrow either way). If I weren’t on vacation at the moment, we’d have to do the other end of your schedule which would be during my typical “meetings with the other hemisphere” hours (some of my work teammates are in the same time zone as you out in EU). On Sun, Sep 20, 2020 at 11:47 Davyd McColl wrote: > Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my > > son from school) > > > > -d > > > > > > On September 20, 2020 18:44:19 Matt Sicker wrote: > > > > > We’re not quite as strict as Debian for keys (though if you can find a > > > Debian group locally, they’re great for key signing). The video call idea > > > could work for exchanging keys. What times would you be available to do > > > that? > > > > > > On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > > > > > >> Hi Ralph > > >> > > >> > > >> > > >> I think I miscommunicated: I'm not regenerating my signing key - just > the > > >> > > >> nuget API key for package upload. This forces me to log in in nuget.org > > >> > > >> which has 2fa and then I only use that key on the cli for the immediate > > >> upload. > > >> > > >> > > >> > > >> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > > >> used > > >> > > >> last time. > > >> > > >> > > >> > > >> -d > > >> > > >> > > >> > > >> > > >> > > >> On September 20, 2020 09:01:36 Ralph Goers > > >> wrote: > > >> > > >> > > >> > > >> > In the long run you don’t want to be regenerating your signing key for > > >> > > >> > every release. The point is that you would upload the key to a central > > >> > > >> > keystore and other people would sign it there. At ApacheCon we would > > >> have a > > >> > > >> > key signing “party” where we recorded each others keys and then would > > >> take > > >> > > >> > our list and update the central keystore. When people verify the key > > >> they > > >> > > >> > can look at the keystore and see that it is signed by a number of > > >> people, > > >> > > >> > who then have their keys by a number of people and so on so you are > > >> > > >> > building a web of trust. Sooner or later there will be someone in > that > > >> web > > >> > > >> > that you personally know and trust. > > >> > > >> > > > >> > > >> > Ralph > > >> > > >> > > > >> > > >> >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > >> > > >> >> > > >> > > >> >> Thanks Matt, I've updated the artifacts on GitHub to have detached > > >> > > >> >> signatures. I had previously also uploaded my key to > sks-keyservers.net, > > >> > > >> > > >> >> but I've also uploaded to MIT, though search there always times out. > > >> > > >> >> > > >> > > >> >> The document you've linked mentions face-to-face interactions to get > my > > >> key > > >> > > >> >> into the official KEYS file. Not sure how many apache people are at > my > > >> end > > >> > > >> >> of the world (Durban, South Africa), but I can do an online meeting > if > > >> that > > >> > > >> >> helps. Last release, Ralph said I should sign, so I did. I'm new to > > >> signing > > >> > > >> >> release artifacts - I've generally relied on authentication during > > >> upload > > >> > > >> >> as verification of authenticity, with 2FA wherever possible (GitHub > and > > >> > > >> >> NPM; nuget survives with an apikey - but for the last 2 releases, > I've > > >> > > >> >> regenerated the key on each use and only supplied it on the cli at > > >> upload, > > >> > > >> >> so as not to store it locally) > > >> > > >> >> > > >> > > >> >> -d > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> On September 19, 2020 22:23:41 Matt Sicker wrote: > > >> > > >> >> > > >> > > >> >>> Oh and there's a bit of an issue with the signed files: it looks > like > > >> > > >> >>> you included _signed files_ rather than detached signatures. Thus, > the > > >> > > >> >>> .asc files are only verifying themselves rather than the > accompanying > > >> > > >> >>> file. > > >> > > >> >>> > > >> > > >> >>> There's a --detached option in gpg for this (yeah, it's always had a > > >> bad UI). > > >> > > >> >>> > > >> > > >> >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > > >> > > >> > > >> > > >> The KEYS file [1] that's linked on the download page does not have > > >> > > >> your key in it. Neither does other KEYS file [2]. Check out [3] for > > >> > > >> more info. > > >> > > >> > > >> > > >> [1]: https://downloads.apache.org/logging/log4net/KEYS > > >> > > >> [2]: https://downloads.apache.org/logging/KEYS > > >> > > >> [3]: https://infra.apache.org/release-signing.html#keys-policy > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> On Sat, 19 Sep 2020 at 12:48, Davyd McColl > wrote: > > >> > > >> > > > >> > > >> > Thanks Matt, I've done so. Hopefully that makes it easier to > verify > > >> > > >> > artifacts that I have signed. > > >> > > >> > > > >> > > >> > -d
Fwd: [logging-log4j2] branch master updated (bf16de8 -> e382adb)
Why does this say "No new revisions were added by this update"? This has been going on any time I push commits to master, though it's not happening when I push them to release-2.x. I only noticed this now because I hadn't backported this at the same time. -- Forwarded message - From: Date: Sun, 20 Sep 2020 at 13:52 Subject: [logging-log4j2] branch master updated (bf16de8 -> e382adb) To: comm...@logging.apache.org This is an automated email from the ASF dual-hosted git repository. mattsicker pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git. from bf16de8 Revert "Migrate more tests to JUnit 5" add e382adb Update spotbugs from 3.0.x to 4.0.x No new revisions were added by this update. Summary of changes: log4j-bom/pom.xml | 8 log4j-samples/log4j-samples-configuration/pom.xml | 1 + log4j-samples/log4j-samples-flume-common/pom.xml | 1 + log4j-samples/log4j-samples-flume-embedded/pom.xml| 1 + log4j-samples/log4j-samples-flume-remote/pom.xml | 1 + log4j-samples/log4j-samples-loggerProperties/pom.xml | 1 + log4j-samples/pom.xml | 1 - log4j-spring-boot/pom.xml | 15 +++ .../log4j-spring-cloud-config-client/pom.xml | 1 - .../log4j-spring-cloud-config-sample-application/pom.xml | 1 - .../log4j-spring-cloud-config-sample-server/pom.xml | 9 - .../log4j-spring-cloud-config-samples/pom.xml | 8 +++- log4j-spring-cloud-config/pom.xml | 1 - pom.xml | 4 ++-- 14 files changed, 33 insertions(+), 20 deletions(-) -- Matt Sicker
Re: [VOTE] [log4net] Release 2.0.11
8am in Durban South Africa is 11pm the night before in Phoenix AZ. However, I frequently am up until midnight so that could work. 5-5:30 pm is 7:30-8 am in Phoenix. I usually am not in front of my computer on a weekday until 8 am but on occasion I can do earlier. Ralph > On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > > Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my son > from school) > > -d > > > On September 20, 2020 18:44:19 Matt Sicker wrote: > >> We’re not quite as strict as Debian for keys (though if you can find a >> Debian group locally, they’re great for key signing). The video call idea >> could work for exchanging keys. What times would you be available to do >> that? >> >> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: >> >>> Hi Ralph >>> >>> >>> >>> I think I miscommunicated: I'm not regenerating my signing key - just the >>> >>> nuget API key for package upload. This forces me to log in in nuget.org >>> >>> which has 2fa and then I only use that key on the cli for the immediate >>> upload. >>> >>> >>> >>> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I >>> used >>> >>> last time. >>> >>> >>> >>> -d >>> >>> >>> >>> >>> >>> On September 20, 2020 09:01:36 Ralph Goers >>> wrote: >>> >>> >>> >>> > In the long run you don’t want to be regenerating your signing key for >>> >>> > every release. The point is that you would upload the key to a central >>> >>> > keystore and other people would sign it there. At ApacheCon we would >>> have a >>> >>> > key signing “party” where we recorded each others keys and then would >>> take >>> >>> > our list and update the central keystore. When people verify the key >>> they >>> >>> > can look at the keystore and see that it is signed by a number of >>> people, >>> >>> > who then have their keys by a number of people and so on so you are >>> >>> > building a web of trust. Sooner or later there will be someone in that >>> web >>> >>> > that you personally know and trust. >>> >>> > >>> >>> > Ralph >>> >>> > >>> >>> >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: >>> >>> >> >>> >>> >> Thanks Matt, I've updated the artifacts on GitHub to have detached >>> >>> >> signatures. I had previously also uploaded my key to sks-keyservers.net, >>> >>> >>> >> but I've also uploaded to MIT, though search there always times out. >>> >>> >> >>> >>> >> The document you've linked mentions face-to-face interactions to get my >>> key >>> >>> >> into the official KEYS file. Not sure how many apache people are at my >>> end >>> >>> >> of the world (Durban, South Africa), but I can do an online meeting if >>> that >>> >>> >> helps. Last release, Ralph said I should sign, so I did. I'm new to >>> signing >>> >>> >> release artifacts - I've generally relied on authentication during >>> upload >>> >>> >> as verification of authenticity, with 2FA wherever possible (GitHub and >>> >>> >> NPM; nuget survives with an apikey - but for the last 2 releases, I've >>> >>> >> regenerated the key on each use and only supplied it on the cli at >>> upload, >>> >>> >> so as not to store it locally) >>> >>> >> >>> >>> >> -d >>> >>> >> >>> >>> >> >>> >>> >> On September 19, 2020 22:23:41 Matt Sicker wrote: >>> >>> >> >>> >>> >>> Oh and there's a bit of an issue with the signed files: it looks like >>> >>> >>> you included _signed files_ rather than detached signatures. Thus, the >>> >>> >>> .asc files are only verifying themselves rather than the accompanying >>> >>> >>> file. >>> >>> >>> >>> >>> >>> There's a --detached option in gpg for this (yeah, it's always had a >>> bad UI). >>> >>> >>> >>> >>> >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: >>> >>> >>> >>> The KEYS file [1] that's linked on the download page does not have >>> >>> your key in it. Neither does other KEYS file [2]. Check out [3] for >>> >>> more info. >>> >>> >>> >>> [1]: https://downloads.apache.org/logging/log4net/KEYS >>> >>> [2]: https://downloads.apache.org/logging/KEYS >>> >>> [3]: https://infra.apache.org/release-signing.html#keys-policy >>> >>> >>> >>> >>> >>> >>> >>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: >>> >>> > >>> >>> > Thanks Matt, I've done so. Hopefully that makes it easier to verify >>> >>> > artifacts that I have signed. >>> >>> > >>> >>> > -d >>> >>> > >>> >>> > >>> >>> > On September 18, 2020 23:11:48 Matt Sicker >>> wrote: >>> >>> > >>> >>> > > If you upload your key to your GitHub profile, that also makes it >>> >>> > > simple to find. For example, just add ".gpg" to your profile URL: >>> >>> > > https://github.com/fluffynuts.gpg >>> >>> > > >>> >>> > > On Fri, 18 Sep 2020 at 16:08, Remko Popma >>> wrote: >>> >>> > >> >>> >>> > >> +1 remko >>> >>> > >> >>> >>> > >> On Sat, Sep 19
Re: [logging-log4j2] branch master updated (bf16de8 -> e382adb)
You will have to ask infra. Based on what I found on google it looks like there is a post commit hook to send email that uses git rev-list and based on the result of that may generate that line. From what I can see git rev-list walks up the commit tree but I don’t really know what it is trying to do. Ralph > On Sep 20, 2020, at 11:56 AM, Matt Sicker wrote: > > Why does this say "No new revisions were added by this update"? This > has been going on any time I push commits to master, though it's not > happening when I push them to release-2.x. I only noticed this now > because I hadn't backported this at the same time. > > -- Forwarded message - > From: > Date: Sun, 20 Sep 2020 at 13:52 > Subject: [logging-log4j2] branch master updated (bf16de8 -> e382adb) > To: comm...@logging.apache.org > > > This is an automated email from the ASF dual-hosted git repository. > > mattsicker pushed a change to branch master > in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git. > > >from bf16de8 Revert "Migrate more tests to JUnit 5" > add e382adb Update spotbugs from 3.0.x to 4.0.x > > No new revisions were added by this update. > > Summary of changes: > log4j-bom/pom.xml | 8 > log4j-samples/log4j-samples-configuration/pom.xml | 1 + > log4j-samples/log4j-samples-flume-common/pom.xml | 1 + > log4j-samples/log4j-samples-flume-embedded/pom.xml| 1 + > log4j-samples/log4j-samples-flume-remote/pom.xml | 1 + > log4j-samples/log4j-samples-loggerProperties/pom.xml | 1 + > log4j-samples/pom.xml | 1 - > log4j-spring-boot/pom.xml | 15 +++ > .../log4j-spring-cloud-config-client/pom.xml | 1 - > .../log4j-spring-cloud-config-sample-application/pom.xml | 1 - > .../log4j-spring-cloud-config-sample-server/pom.xml | 9 - > .../log4j-spring-cloud-config-samples/pom.xml | 8 +++- > log4j-spring-cloud-config/pom.xml | 1 - > pom.xml | 4 ++-- > 14 files changed, 33 insertions(+), 20 deletions(-) > > > > -- > Matt Sicker >
Re: [VOTE] [log4net] Release 2.0.11
I'm happy to be available at 8am my side, if that works for everyone else. It sounds like earlier would be better, but I'm doing the morning school run from 7am and can't guarantee I'll be back significantly before 8am. How to do this? I have zoom and slack on my work machine, can install Skype if that's more convenient, can do google meet, I assume, though haven't ever tried, so may need a bit of a crash intro. If posting meeting details to the mailing list is not on, feel free to email me directly (: -d On September 20, 2020 20:58:29 Ralph Goers wrote: 8am in Durban South Africa is 11pm the night before in Phoenix AZ. However, I frequently am up until midnight so that could work. 5-5:30 pm is 7:30-8 am in Phoenix. I usually am not in front of my computer on a weekday until 8 am but on occasion I can do earlier. Ralph On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my son from school) -d On September 20, 2020 18:44:19 Matt Sicker wrote: We’re not quite as strict as Debian for keys (though if you can find a Debian group locally, they’re great for key signing). The video call idea could work for exchanging keys. What times would you be available to do that? On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: Hi Ralph I think I miscommunicated: I'm not regenerating my signing key - just the nuget API key for package upload. This forces me to log in in nuget.org which has 2fa and then I only use that key on the cli for the immediate upload. My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I used last time. -d On September 20, 2020 09:01:36 Ralph Goers wrote: > In the long run you don’t want to be regenerating your signing key for > every release. The point is that you would upload the key to a central > keystore and other people would sign it there. At ApacheCon we would have a > key signing “party” where we recorded each others keys and then would take > our list and update the central keystore. When people verify the key they > can look at the keystore and see that it is signed by a number of people, > who then have their keys by a number of people and so on so you are > building a web of trust. Sooner or later there will be someone in that web > that you personally know and trust. > > Ralph > >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: >> >> Thanks Matt, I've updated the artifacts on GitHub to have detached >> signatures. I had previously also uploaded my key to sks-keyservers.net, >> but I've also uploaded to MIT, though search there always times out. >> >> The document you've linked mentions face-to-face interactions to get my key >> into the official KEYS file. Not sure how many apache people are at my end >> of the world (Durban, South Africa), but I can do an online meeting if that >> helps. Last release, Ralph said I should sign, so I did. I'm new to signing >> release artifacts - I've generally relied on authentication during upload >> as verification of authenticity, with 2FA wherever possible (GitHub and >> NPM; nuget survives with an apikey - but for the last 2 releases, I've >> regenerated the key on each use and only supplied it on the cli at upload, >> so as not to store it locally) >> >> -d >> >> >> On September 19, 2020 22:23:41 Matt Sicker wrote: >> >>> Oh and there's a bit of an issue with the signed files: it looks like >>> you included _signed files_ rather than detached signatures. Thus, the >>> .asc files are only verifying themselves rather than the accompanying >>> file. >>> >>> There's a --detached option in gpg for this (yeah, it's always had a bad UI). >>> >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: The KEYS file [1] that's linked on the download page does not have your key in it. Neither does other KEYS file [2]. Check out [3] for more info. [1]: https://downloads.apache.org/logging/log4net/KEYS [2]: https://downloads.apache.org/logging/KEYS [3]: https://infra.apache.org/release-signing.html#keys-policy On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: > > Thanks Matt, I've done so. Hopefully that makes it easier to verify > artifacts that I have signed. > > -d > > > On September 18, 2020 23:11:48 Matt Sicker wrote: > > > If you upload your key to your GitHub profile, that also makes it > > simple to find. For example, just add ".gpg" to your profile URL: > > https://github.com/fluffynuts.gpg > > > > On Fri, 18 Sep 2020 at 16:08, Remko Popma wrote: > >> > >> +1 remko > >> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker wrote: > >> > >> > How about your gpg key? I don't think we've imported that to the KEYS > >> > file as far as I can tell? > >> > > >> > On Fri, 18
Re: [VOTE] [log4net] Release 2.0.11
I sent a Google Meet invite to you. On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: > > I'm happy to be available at 8am my side, if that works for everyone else. > It sounds like earlier would be better, but I'm doing the morning school > run from 7am and can't guarantee I'll be back significantly before 8am. > > How to do this? I have zoom and slack on my work machine, can install > Skype if that's more convenient, can do google meet, I assume, though > haven't ever tried, so may need a bit of a crash intro. > > If posting meeting details to the mailing list is not on, feel free to > email me directly (: > > -d > > > On September 20, 2020 20:58:29 Ralph Goers wrote: > > > 8am in Durban South Africa is 11pm the night before in Phoenix AZ. > > However, I frequently am up until midnight so that could work. 5-5:30 pm is > > 7:30-8 am in Phoenix. I usually am not in front of my computer on a weekday > > until 8 am but on occasion I can do earlier. > > > > Ralph > > > >> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > >> > >> Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my > >> son from school) > >> > >> -d > >> > >> > >> On September 20, 2020 18:44:19 Matt Sicker wrote: > >> > >>> We’re not quite as strict as Debian for keys (though if you can find a > >>> Debian group locally, they’re great for key signing). The video call idea > >>> could work for exchanging keys. What times would you be available to do > >>> that? > >>> > >>> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > >>> > Hi Ralph > > > > I think I miscommunicated: I'm not regenerating my signing key - just the > > nuget API key for package upload. This forces me to log in in nuget.org > > which has 2fa and then I only use that key on the cli for the immediate > upload. > > > > My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > used > > last time. > > > > -d > > > > > > On September 20, 2020 09:01:36 Ralph Goers > wrote: > > > > > In the long run you don’t want to be regenerating your signing key for > > > every release. The point is that you would upload the key to a central > > > keystore and other people would sign it there. At ApacheCon we would > have a > > > key signing “party” where we recorded each others keys and then would > take > > > our list and update the central keystore. When people verify the key > they > > > can look at the keystore and see that it is signed by a number of > people, > > > who then have their keys by a number of people and so on so you are > > > building a web of trust. Sooner or later there will be someone in that > web > > > that you personally know and trust. > > > > > > Ralph > > > > > >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > > >> > > >> Thanks Matt, I've updated the artifacts on GitHub to have detached > > >> signatures. I had previously also uploaded my key to > >> sks-keyservers.net, > > > >> but I've also uploaded to MIT, though search there always times out. > > >> > > >> The document you've linked mentions face-to-face interactions to get > >> my > key > > >> into the official KEYS file. Not sure how many apache people are at my > end > > >> of the world (Durban, South Africa), but I can do an online meeting if > that > > >> helps. Last release, Ralph said I should sign, so I did. I'm new to > signing > > >> release artifacts - I've generally relied on authentication during > upload > > >> as verification of authenticity, with 2FA wherever possible (GitHub > >> and > > >> NPM; nuget survives with an apikey - but for the last 2 releases, I've > > >> regenerated the key on each use and only supplied it on the cli at > upload, > > >> so as not to store it locally) > > >> > > >> -d > > >> > > >> > > >> On September 19, 2020 22:23:41 Matt Sicker wrote: > > >> > > >>> Oh and there's a bit of an issue with the signed files: it looks like > > >>> you included _signed files_ rather than detached signatures. Thus, > >>> the > > >>> .asc files are only verifying themselves rather than the accompanying > > >>> file. > > >>> > > >>> There's a --detached option in gpg for this (yeah, it's always had a > bad UI). > > >>> > > >>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: > > > > The KEYS file [1] that's linked on the download page does not have > > your k
Re: [VOTE] [log4net] Release 2.0.11
I don’t have google meet and I can’t use Skype since Microsoft hosed my authentication. I have zoom. My company uses Amazon Chime, which is fairly new, as part of our product offering. I’ve sent you both emails for a meeting using that. Ralph > On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: > > I sent a Google Meet invite to you. > > On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: >> >> I'm happy to be available at 8am my side, if that works for everyone else. >> It sounds like earlier would be better, but I'm doing the morning school >> run from 7am and can't guarantee I'll be back significantly before 8am. >> >> How to do this? I have zoom and slack on my work machine, can install >> Skype if that's more convenient, can do google meet, I assume, though >> haven't ever tried, so may need a bit of a crash intro. >> >> If posting meeting details to the mailing list is not on, feel free to >> email me directly (: >> >> -d >> >> >> On September 20, 2020 20:58:29 Ralph Goers >> wrote: >> >>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. >>> However, I frequently am up until midnight so that could work. 5-5:30 pm is >>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a weekday >>> until 8 am but on occasion I can do earlier. >>> >>> Ralph >>> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my son from school) -d On September 20, 2020 18:44:19 Matt Sicker wrote: > We’re not quite as strict as Debian for keys (though if you can find a > Debian group locally, they’re great for key signing). The video call idea > could work for exchanging keys. What times would you be available to do > that? > > On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > >> Hi Ralph >> >> >> >> I think I miscommunicated: I'm not regenerating my signing key - just the >> >> nuget API key for package upload. This forces me to log in in nuget.org >> >> which has 2fa and then I only use that key on the cli for the immediate >> upload. >> >> >> >> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I >> used >> >> last time. >> >> >> >> -d >> >> >> >> >> >> On September 20, 2020 09:01:36 Ralph Goers >> wrote: >> >> >> >>> In the long run you don’t want to be regenerating your signing key for >> >>> every release. The point is that you would upload the key to a central >> >>> keystore and other people would sign it there. At ApacheCon we would >> have a >> >>> key signing “party” where we recorded each others keys and then would >> take >> >>> our list and update the central keystore. When people verify the key >> they >> >>> can look at the keystore and see that it is signed by a number of >> people, >> >>> who then have their keys by a number of people and so on so you are >> >>> building a web of trust. Sooner or later there will be someone in that >> web >> >>> that you personally know and trust. >> >>> >> >>> Ralph >> >>> >> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: >> >> Thanks Matt, I've updated the artifacts on GitHub to have detached >> signatures. I had previously also uploaded my key to sks-keyservers.net, >> >> but I've also uploaded to MIT, though search there always times out. >> >> The document you've linked mentions face-to-face interactions to get my >> key >> into the official KEYS file. Not sure how many apache people are at my >> end >> of the world (Durban, South Africa), but I can do an online meeting if >> that >> helps. Last release, Ralph said I should sign, so I did. I'm new to >> signing >> release artifacts - I've generally relied on authentication during >> upload >> as verification of authenticity, with 2FA wherever possible (GitHub and >> NPM; nuget survives with an apikey - but for the last 2 releases, I've >> regenerated the key on each use and only supplied it on the cli at >> upload, >> so as not to store it locally) >> >> -d >> >> >> On September 19, 2020 22:23:41 Matt Sicker wrote: >> >> > Oh and there's a bit of an issue with the signed files: it looks like >> > you included _signed files_ rather than detached signatures. Thus, the >> > .asc files are only verifying themselves rather than the accompanying >> > file.
Re: [VOTE] [log4net] Release 2.0.11
I can use whatever. On Sun, 20 Sep 2020 at 15:26, Ralph Goers wrote: > > I don’t have google meet and I can’t use Skype since Microsoft hosed my > authentication. I have zoom. My company uses Amazon Chime, which is fairly > new, as part of our product offering. I’ve sent you both emails for a > meeting using that. > > Ralph > > > On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: > > > > I sent a Google Meet invite to you. > > > > On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: > >> > >> I'm happy to be available at 8am my side, if that works for everyone else. > >> It sounds like earlier would be better, but I'm doing the morning school > >> run from 7am and can't guarantee I'll be back significantly before 8am. > >> > >> How to do this? I have zoom and slack on my work machine, can install > >> Skype if that's more convenient, can do google meet, I assume, though > >> haven't ever tried, so may need a bit of a crash intro. > >> > >> If posting meeting details to the mailing list is not on, feel free to > >> email me directly (: > >> > >> -d > >> > >> > >> On September 20, 2020 20:58:29 Ralph Goers > >> wrote: > >> > >>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. > >>> However, I frequently am up until midnight so that could work. 5-5:30 pm > >>> is > >>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a > >>> weekday > >>> until 8 am but on occasion I can do earlier. > >>> > >>> Ralph > >>> > On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: > > Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I fetch my > son from school) > > -d > > > On September 20, 2020 18:44:19 Matt Sicker wrote: > > > We’re not quite as strict as Debian for keys (though if you can find a > > Debian group locally, they’re great for key signing). The video call > > idea > > could work for exchanging keys. What times would you be available to do > > that? > > > > On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: > > > >> Hi Ralph > >> > >> > >> > >> I think I miscommunicated: I'm not regenerating my signing key - just > >> the > >> > >> nuget API key for package upload. This forces me to log in in nuget.org > >> > >> which has 2fa and then I only use that key on the cli for the immediate > >> upload. > >> > >> > >> > >> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I > >> used > >> > >> last time. > >> > >> > >> > >> -d > >> > >> > >> > >> > >> > >> On September 20, 2020 09:01:36 Ralph Goers > >> wrote: > >> > >> > >> > >>> In the long run you don’t want to be regenerating your signing key for > >> > >>> every release. The point is that you would upload the key to a central > >> > >>> keystore and other people would sign it there. At ApacheCon we would > >> have a > >> > >>> key signing “party” where we recorded each others keys and then would > >> take > >> > >>> our list and update the central keystore. When people verify the key > >> they > >> > >>> can look at the keystore and see that it is signed by a number of > >> people, > >> > >>> who then have their keys by a number of people and so on so you are > >> > >>> building a web of trust. Sooner or later there will be someone in > >>> that > >> web > >> > >>> that you personally know and trust. > >> > >>> > >> > >>> Ralph > >> > >>> > >> > On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: > >> > > >> > Thanks Matt, I've updated the artifacts on GitHub to have detached > >> > signatures. I had previously also uploaded my key to > sks-keyservers.net, > >> > >> > but I've also uploaded to MIT, though search there always times out. > >> > > >> > The document you've linked mentions face-to-face interactions to get > my > >> key > >> > into the official KEYS file. Not sure how many apache people are at > my > >> end > >> > of the world (Durban, South Africa), but I can do an online meeting > if > >> that > >> > helps. Last release, Ralph said I should sign, so I did. I'm new to > >> signing > >> > release artifacts - I've generally relied on authentication during > >> upload > >> > as verification of authenticity, with 2FA wherever possible (GitHub > and > >> > NPM; nuget survives with an apikey - but for the last 2 releases, > I've > >> > regenerated the key on each use and only supplied it on the cli at > >> upload, > >> > so as not to store it locally) > >> > > >> >
