How to update tools/dist/security/_gnupg.py?
_gnupg.py is used by release.py and by advisory.py (the confidential pre-notification script). I'm getting an error from it: [[[ $ python2 tools/dist/release.py check-sigs --target=wc-of-dist 1.9.6 INFO:root:Checking 3 sig(s) in ./subversion-1.9.6.tar.bz2.asc Exception in thread Thread-3: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 754, in run self.__target(*self.__args, **self.__kwargs) File "/home/daniel/in/svn/t1/tools/dist/security/_gnupg.py", line 770, in _read_response result.handle_status(keyword, value) File "/home/daniel/in/svn/t1/tools/dist/security/_gnupg.py", line 292, in handle_status raise ValueError("Unknown status message: %r" % key) ValueError: Unknown status message: u'KEY_CONSIDERED' BAD SIGNATURE for ./subversion-1.9.6.tar.bz2.asc ]]] That error is from tools/dist/security/_gnupg.py. The error disappears when I install that module via my OS packages, so I assume we should update our import. How do we do that? I couldn't find any instructions, and the top comments don't identify the homepage, so I'm not sure where the *canonical* upstream is. (As opposed to possible forks) Cheers, Daniel P.S. Incidentally, my OS packages also report that the module depends on the deprecated gpg1 packages, so in the long term either the module will convert to gpg2 or we'll have to switch to another module
Re: 1.9.6 up for signing/testing
Stefan Fuhrmann wrote on Sat, 01 Jul 2017 20:52 +0200: > Results: > >(Ruby tests) Various test failures. Mostly related to sqlite in WC: > "Svn::Error::SqliteBusy: sqlite[S5]: database is locked" when > accecssing Svn::Wc::AdmAccess methods. >(Perl tests): Several warnings issued (all tests still reported as > passsed): > Warning: unable to close filehandle $out_fh properly: Bad > file > descriptor at > /dev/shm/dist/subversion-1.9.6/subversion/bindings/swig/perl/native/blib/lib/SVN/Core.pm > > line 58 >(Java tests): Many warnings issued (all tests still reported as passsed): > WARNING in native method: JNI call made without checking > exceptions when required to from CallObjectMethodV >(Ubuntu issue) ./configure needed global variables set to make LTO work: > AR="gcc-ar" NM="gcc-nm" RANLIB=gcc-ranlib > >All tests passed. To be clear, I assume these are not regressions from 1.9.5, since the only bindings change since then is a bugfix to the javahl svn_ra_open4() redirection support. Cheers, Daniel
Re: 1.9.6 up for signing/testing
On 30.06.2017 15:05, Daniel Shahaf wrote: The 1.9.6 release artifacts are now available for testing/signing. Please get the tarballs from https://dist.apache.org/repos/dist/dev/subversion and add your signatures there. I'm aiming to release this within a week. (CHANGES points to this Wednesday, which may be a bit optimistic on my part.) Special notes for this release: 1. *.sha512 files are being created. Please verify them as you used to verify the *.sha1 filfes. 2. CHANGES links to a not-yet-written section of the release notes. That section is expected to be written in the next few days. Thanks! Summary: +1 to release (despite binding issues - see below) Platform Ubuntu 16.04.2 x64, Linux 4.4.0-81-generic SMP Standard dependencies: Apache 2.4.18, worker MPM APR 1.5.2 APR-Util 1.5.4 BDB 5.3.28 GCC 5.4.0 JUnit 4.12 libmagic 5.25 libtool, libtool-bin 2.4.6 OpenJDK-8 8u77 OpenSSL 1.0.2g Perl 5.22.1 Python 2.7.11 Ruby 2.3.0 Serf 1.3.8 SQLite 3.11.0 Swig 2.0.12 zlib 1.2.8 Manually installed and in-tree dependencies: ctypesgen svn-r151 Verified: Tarball contents and signatures (fsfs, bdb, fsx) x (local, svnserve, serf) check-swig-py check-swig-pl check-swig-rb check-javahl check-ctypes-python ./get-deps.sh Results: (Ruby tests) Various test failures. Mostly related to sqlite in WC: "Svn::Error::SqliteBusy: sqlite[S5]: database is locked" when accecssing Svn::Wc::AdmAccess methods. (Perl tests): Several warnings issued (all tests still reported as passsed): Warning: unable to close filehandle $out_fh properly: Bad file descriptor at /dev/shm/dist/subversion-1.9.6/subversion/bindings/swig/perl/native/blib/lib/SVN/Core.pm line 58 (Java tests): Many warnings issued (all tests still reported as passsed): WARNING in native method: JNI call made without checking exceptions when required to from CallObjectMethodV (Ubuntu issue) ./configure needed global variables set to make LTO work: AR="gcc-ar" NM="gcc-nm" RANLIB=gcc-ranlib All tests passed. GPG Signatures committed to the dist/dev/subversion repository.
Re: 1.9.6 up for signing/testing
On Fri, Jun 30, 2017 at 3:05 PM, Daniel Shahafwrote: > The 1.9.6 release artifacts are now available for testing/signing. > > Please get the tarballs from > https://dist.apache.org/repos/dist/dev/subversion > and add your signatures there. > > I'm aiming to release this within a week. (CHANGES points to this > Wednesday, which may be a bit optimistic on my part.) > > Special notes for this release: > > 1. *.sha512 files are being created. Please verify them as you used to >verify the *.sha1 filfes. > > 2. CHANGES links to a not-yet-written section of the release notes. >That section is expected to be written in the next few days. > > Thanks! Summary --- +1 to release Platform Windows 7 SP1 (x64) Microsoft Visual Studio 2013 Verified Signature, sha1 and sha512 for subversion-1.9.6.zip. Contents of subversion-1.9.6.zip are identical to tags/1.9.6, and to branches/1.9.x@1800392 (except for expected differences in svn_version.h and svnpubsub, svnwcsub and nominate.pl (symlinks vs. file contents), and generated files). Tested -- [ Release build ] x [ fsfs ] x [ file | svn | http ] Results --- All tests pass. Dependencies Httpd 2.4.16 Apr 1.5.2 Apr-Util 1.5.4 OpenSSL 1.0.2k Serf 1.3.9 SQLite 3.19.3.0 ZLib 1.2.11 Signature - subversion-1.9.6.zip: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAABCgAGBQJZV6l9AAoJELWc5tYBDIqtdoYP/RNB7fhUkDXog6Eajqw6oe4+ p62ak9GvPvMPDPOKqNXlWrPtpvlRJ2bQu9czJ0lV7T+y9JdlGNYEc9QGt4jfdrV2 CJJqdETQI0vCA1G9EujEfCEnrHPDY66nQAeK28kxYfZNtWDwlDeoRcJPSU2Gnagz /4WURzcB/C1j5bXc3pcDAEpAfWQFIWNel9mrRdA76AvTJ979Z1voHS/w0uJbbTgL d3mjGcpBaxRoZgprRsPHP/HCKUbsI+CiGTa6Mcx+KUE+WwDa3VN4ZXwfIhxwvDMA M1+c4S0ezUI8rkkgsiVDeGOtZQPxk6FMTb63dYplGiZupJUAILJ0MiHFeKtFN2zl C9IuG5pMKZumeBrSuddyKRWpRNXZzoaTbMeI08Kauk5DDQS7IKN4nEPx4+UaUNEg /9/raDk+5Jkx3UlkYLGiS8i8iUMi8pJJq8eyG8k+FSVsNVcOz2SzQXT91au8bbjP V7mxbRfO8vMn2HU+/5q7zoCc0MTktKDTjTODgQ3s4kkbgqEfv9bSDiy3GSjYo7TH JvDhwa/CZt5tlFM4cx7A9mN3cNbuf57KOK9WqK0ptdI6XD2mBbCAc1cHtQJ78VtS YNhOHZtfJ5hWVkSxKo6bqXtO19ILA9n/Bcsw+pAVzLRDJQhUryqk2PrcleCNGNoo H9+/BQwErsT4aDoZ5wni =AgyR -END PGP SIGNATURE- -- Johan
Re: 1.9.6 up for signing/testing
On Fri, Jun 30, 2017 at 01:05:48PM +, Daniel Shahaf wrote: > The 1.9.6 release artifacts are now available for testing/signing. > > Please get the tarballs from > https://dist.apache.org/repos/dist/dev/subversion > and add your signatures there. > > I'm aiming to release this within a week. (CHANGES points to this > Wednesday, which may be a bit optimistic on my part.) > > Special notes for this release: > > 1. *.sha512 files are being created. Please verify them as you used to >verify the *.sha1 filfes. > > 2. CHANGES links to a not-yet-written section of the release notes. >That section is expected to be written in the next few days. > > Thanks! Summary: +1 to release Tested: [bdb | fsfs] x [ra_local | ra_svn | ra_serf] swig bindings javahl bindings Test results: All passed. Platform: OpenBSD 6.1 amd64 Dependencies: bdb:4.7.25 GNU-iconv: 1.15 apr:1.5.2 apr-util: 1.5.4 httpd: 2.2.32 serf: 1.3.9 cyrus-sasl: 2.1.25 sqlite: 3160200 libssl: LibreSSL 2.5.2 swig: 2.0.11 python: 2.7.13 perl: 5.24.1 ruby: 2.1.10 java: 1.7.0_80 Signatures: subversion-1.9.6.tar.gz -BEGIN PGP SIGNATURE- iQEcBAABAgAGBQJZV5teAAoJEE99uqmaWblz1wAIAM2a+/TvrmwMMPinWMmoL3Km /MCVnJMV04zr8uU/ONsqSl86HarP6CXvvoO0zmXglIEY13SRnESUks5PA53SLNwv 0/gAwBsGUkYOVQVN3sALUM2wcn9WRuWpX3AEDAOQpWARi7Hc2gr8gFwpiKPpUZUF fkjTjMDlgAFQaCqGNgYNLVkXNK4X11ukK9DLh4x3T03WXPWF6VRhv/2V4B4dga+J EIXv+WL0zunUN9Pg8USO25RzIyYd540lohcjzR52BrdfrDWPdJG7judSg4838zQS dKG9fxtxwBC2XgFVpTnhasFKRYmtCKdicxH6E1IfEc3tETP3OjdrkOmTXdS4UfM= =MTz+ -END PGP SIGNATURE- subversion-1.9.6.tar.bz2 -BEGIN PGP SIGNATURE- iQEcBAABAgAGBQJZV5thAAoJEE99uqmaWblzZTgIAIGGh+L9Ig1LG86Ke2Dq14CP cuye9x815CJhQ5W5apXScL4fSmh2dhJ1J3xg23oAexjI8MthkTuKWwjUsruW+zyl 7wbdQRGFex6VYattVLagoaXocOLi4S87U2GXgn2/eJB/zwB/uJIec/wdzP2YNFeZ hnGcfg6/VmwoKy/HlzYCFe0QHrwbzSG/mbWSnk87Gp5WM26xnxiMUoDmwbcxRFvq q6KaXRQGJz4gYgNdSOZ2fHSFDN66hUm7YOBMYx6hTklt3+uDdJYNpH/FCN8BEKf8 UypPqu5vorkdw/I4kT+4v5xbzWK06UQm9hNeLdxYFYSdfAYljfUyseVdmyGfBdY= =qvqr -END PGP SIGNATURE-
Re: 1.8.x vote urgently needed!
On 30.06.2017 16:38, Daniel Shahaf wrote: Stefan Sperling wrote on Fri, 30 Jun 2017 16:10 +0200: We need an additional vote now in order to roll a 1.8 tarball today. Can anyone help? * r1785737, r1785738, r1785734, r1786447, r1785754, r1786445, r1786446, r1786515, r1794611, r1800387 Make FSFS consistency no longer depend on hash algorithms. Justification: This eliminates any existing or future FSFS vulnerability due to attacks on MD5 or SHA1. Branch: ^/subversion/branches/1.8.x-strict-rep-sharing Notes: Depends on r1759116 for correctness with older APR. While the backport code is very close to the /trunk changes, it is easier to review them as r1787637, r1787638 and r1787652 on the branch. [Will create a text conflict with the r1785053 backport. Depending on which change gets merged first, the respective other must be updated.] r1800387 did the above merge and resolved the text conflicts. Votes: +1: stefan2, stsp -1: rhuijben (Until some additional fix like on 1.9 is applied. After that +1 on the current changes) Note that stefan2's and rhuijben's votes should be marked "(without r1800387)". I updated my vote. -- Stefan^2.