How to update tools/dist/security/_gnupg.py?

[Daniel Shahaf]

_gnupg.py is used by release.py and by advisory.py (the confidential 
pre-notification script).

I'm getting an error from it:

[[[
$ python2 tools/dist/release.py check-sigs --target=wc-of-dist 1.9.6
INFO:root:Checking 3 sig(s) in ./subversion-1.9.6.tar.bz2.asc
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
  File "/home/daniel/in/svn/t1/tools/dist/security/_gnupg.py", line 770, in 
_read_response
result.handle_status(keyword, value)
  File "/home/daniel/in/svn/t1/tools/dist/security/_gnupg.py", line 292, in 
handle_status
raise ValueError("Unknown status message: %r" % key)
ValueError: Unknown status message: u'KEY_CONSIDERED'

BAD SIGNATURE for ./subversion-1.9.6.tar.bz2.asc
]]]

That error is from tools/dist/security/_gnupg.py.  The error disappears when
I install that module via my OS packages, so I assume we should update our
import.  How do we do that?  I couldn't find any instructions, and the top
comments don't identify the homepage, so I'm not sure where the *canonical*
upstream is.  (As opposed to possible forks)

Cheers,

Daniel

P.S. Incidentally, my OS packages also report that the module depends on the
deprecated gpg1 packages, so in the long term either the module will convert
to gpg2 or we'll have to switch to another module

Re: 1.9.6 up for signing/testing

[Daniel Shahaf]

Stefan Fuhrmann wrote on Sat, 01 Jul 2017 20:52 +0200:
> Results:
> 
>(Ruby tests) Various test failures. Mostly related to sqlite in WC:
> "Svn::Error::SqliteBusy: sqlite[S5]: database is locked" when
> accecssing Svn::Wc::AdmAccess methods.
>(Perl tests): Several warnings issued (all tests still reported as 
> passsed):
>  Warning: unable to close filehandle $out_fh properly: Bad 
> file
>  descriptor at 
> /dev/shm/dist/subversion-1.9.6/subversion/bindings/swig/perl/native/blib/lib/SVN/Core.pm
>  
> line 58
>(Java tests): Many warnings issued (all tests still reported as passsed):
>  WARNING in native method: JNI call made without checking
>  exceptions when required to from CallObjectMethodV
>(Ubuntu issue) ./configure needed global variables set to make LTO work:
>   AR="gcc-ar" NM="gcc-nm" RANLIB=gcc-ranlib
> 
>All tests passed.

To be clear, I assume these are not regressions from 1.9.5, since the
only bindings change since then is a bugfix to the javahl svn_ra_open4()
redirection support.

Cheers,

Daniel

Re: 1.9.6 up for signing/testing

[Stefan Fuhrmann]

On 30.06.2017 15:05, Daniel Shahaf wrote:

The 1.9.6 release artifacts are now available for testing/signing.

Please get the tarballs from
   https://dist.apache.org/repos/dist/dev/subversion
and add your signatures there.

I'm aiming to release this within a week.  (CHANGES points to this
Wednesday, which may be a bit optimistic on my part.)

Special notes for this release:

1. *.sha512 files are being created.  Please verify them as you used to
verify the *.sha1 filfes.

2. CHANGES links to a not-yet-written section of the release notes.
That section is expected to be written in the next few days.

Thanks!


Summary:

  +1 to release
  (despite binding issues - see below)

Platform

  Ubuntu 16.04.2 x64, Linux 4.4.0-81-generic SMP

  Standard dependencies:
Apache 2.4.18, worker MPM
APR 1.5.2
APR-Util 1.5.4
BDB 5.3.28
GCC 5.4.0
JUnit 4.12
libmagic 5.25
libtool, libtool-bin 2.4.6
OpenJDK-8 8u77
OpenSSL 1.0.2g
Perl 5.22.1
Python 2.7.11
Ruby 2.3.0
Serf 1.3.8
SQLite 3.11.0
Swig 2.0.12
zlib 1.2.8

  Manually installed and in-tree dependencies:
ctypesgen svn-r151

Verified:

  Tarball contents and signatures

  (fsfs, bdb, fsx) x (local, svnserve, serf)
  check-swig-py
  check-swig-pl
  check-swig-rb
  check-javahl
  check-ctypes-python

  ./get-deps.sh

Results:

  (Ruby tests) Various test failures. Mostly related to sqlite in WC:
   "Svn::Error::SqliteBusy: sqlite[S5]: database is locked" when
   accecssing Svn::Wc::AdmAccess methods.
  (Perl tests): Several warnings issued (all tests still reported as passsed):
Warning: unable to close filehandle $out_fh properly: Bad file
descriptor at 
/dev/shm/dist/subversion-1.9.6/subversion/bindings/swig/perl/native/blib/lib/SVN/Core.pm 
line 58

  (Java tests): Many warnings issued (all tests still reported as passsed):
WARNING in native method: JNI call made without checking
exceptions when required to from CallObjectMethodV
  (Ubuntu issue) ./configure needed global variables set to make LTO work:
 AR="gcc-ar" NM="gcc-nm" RANLIB=gcc-ranlib

  All tests passed.

GPG Signatures committed to the dist/dev/subversion repository.

Re: 1.9.6 up for signing/testing

[Johan Corveleyn]

On Fri, Jun 30, 2017 at 3:05 PM, Daniel Shahaf  wrote:
> The 1.9.6 release artifacts are now available for testing/signing.
>
> Please get the tarballs from
>   https://dist.apache.org/repos/dist/dev/subversion
> and add your signatures there.
>
> I'm aiming to release this within a week.  (CHANGES points to this
> Wednesday, which may be a bit optimistic on my part.)
>
> Special notes for this release:
>
> 1. *.sha512 files are being created.  Please verify them as you used to
>verify the *.sha1 filfes.
>
> 2. CHANGES links to a not-yet-written section of the release notes.
>That section is expected to be written in the next few days.
>
> Thanks!

Summary
---
+1 to release

Platform

Windows 7 SP1 (x64)
Microsoft Visual Studio 2013

Verified

Signature, sha1 and sha512 for subversion-1.9.6.zip.

Contents of subversion-1.9.6.zip are identical to tags/1.9.6, and
to branches/1.9.x@1800392 (except for expected differences in svn_version.h
and svnpubsub, svnwcsub and nominate.pl (symlinks vs. file contents), and
generated files).

Tested
--
[ Release build ] x [ fsfs ] x [ file | svn | http ]

Results
---
All tests pass.

Dependencies

Httpd 2.4.16
Apr 1.5.2
Apr-Util 1.5.4
OpenSSL 1.0.2k
Serf 1.3.9
SQLite 3.19.3.0
ZLib 1.2.11

Signature
-

subversion-1.9.6.zip:
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAABCgAGBQJZV6l9AAoJELWc5tYBDIqtdoYP/RNB7fhUkDXog6Eajqw6oe4+
p62ak9GvPvMPDPOKqNXlWrPtpvlRJ2bQu9czJ0lV7T+y9JdlGNYEc9QGt4jfdrV2
CJJqdETQI0vCA1G9EujEfCEnrHPDY66nQAeK28kxYfZNtWDwlDeoRcJPSU2Gnagz
/4WURzcB/C1j5bXc3pcDAEpAfWQFIWNel9mrRdA76AvTJ979Z1voHS/w0uJbbTgL
d3mjGcpBaxRoZgprRsPHP/HCKUbsI+CiGTa6Mcx+KUE+WwDa3VN4ZXwfIhxwvDMA
M1+c4S0ezUI8rkkgsiVDeGOtZQPxk6FMTb63dYplGiZupJUAILJ0MiHFeKtFN2zl
C9IuG5pMKZumeBrSuddyKRWpRNXZzoaTbMeI08Kauk5DDQS7IKN4nEPx4+UaUNEg
/9/raDk+5Jkx3UlkYLGiS8i8iUMi8pJJq8eyG8k+FSVsNVcOz2SzQXT91au8bbjP
V7mxbRfO8vMn2HU+/5q7zoCc0MTktKDTjTODgQ3s4kkbgqEfv9bSDiy3GSjYo7TH
JvDhwa/CZt5tlFM4cx7A9mN3cNbuf57KOK9WqK0ptdI6XD2mBbCAc1cHtQJ78VtS
YNhOHZtfJ5hWVkSxKo6bqXtO19ILA9n/Bcsw+pAVzLRDJQhUryqk2PrcleCNGNoo
H9+/BQwErsT4aDoZ5wni
=AgyR
-END PGP SIGNATURE-

-- 
Johan

Re: 1.9.6 up for signing/testing

[Stefan Sperling]

On Fri, Jun 30, 2017 at 01:05:48PM +, Daniel Shahaf wrote:
> The 1.9.6 release artifacts are now available for testing/signing.
> 
> Please get the tarballs from
>   https://dist.apache.org/repos/dist/dev/subversion
> and add your signatures there.
> 
> I'm aiming to release this within a week.  (CHANGES points to this
> Wednesday, which may be a bit optimistic on my part.)
> 
> Special notes for this release:
> 
> 1. *.sha512 files are being created.  Please verify them as you used to
>verify the *.sha1 filfes.
> 
> 2. CHANGES links to a not-yet-written section of the release notes.
>That section is expected to be written in the next few days.
> 
> Thanks!

Summary: +1 to release

Tested: [bdb | fsfs] x [ra_local | ra_svn | ra_serf]
swig bindings
javahl bindings

Test results: All passed.

Platform: OpenBSD 6.1 amd64

Dependencies:
bdb:4.7.25
GNU-iconv:  1.15
apr:1.5.2
apr-util:   1.5.4
httpd:  2.2.32
serf:   1.3.9
cyrus-sasl: 2.1.25
sqlite: 3160200
libssl: LibreSSL 2.5.2
swig:   2.0.11
python: 2.7.13
perl:   5.24.1
ruby:   2.1.10
java:   1.7.0_80

Signatures:

subversion-1.9.6.tar.gz
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJZV5teAAoJEE99uqmaWblz1wAIAM2a+/TvrmwMMPinWMmoL3Km
/MCVnJMV04zr8uU/ONsqSl86HarP6CXvvoO0zmXglIEY13SRnESUks5PA53SLNwv
0/gAwBsGUkYOVQVN3sALUM2wcn9WRuWpX3AEDAOQpWARi7Hc2gr8gFwpiKPpUZUF
fkjTjMDlgAFQaCqGNgYNLVkXNK4X11ukK9DLh4x3T03WXPWF6VRhv/2V4B4dga+J
EIXv+WL0zunUN9Pg8USO25RzIyYd540lohcjzR52BrdfrDWPdJG7judSg4838zQS
dKG9fxtxwBC2XgFVpTnhasFKRYmtCKdicxH6E1IfEc3tETP3OjdrkOmTXdS4UfM=
=MTz+
-END PGP SIGNATURE-

subversion-1.9.6.tar.bz2
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJZV5thAAoJEE99uqmaWblzZTgIAIGGh+L9Ig1LG86Ke2Dq14CP
cuye9x815CJhQ5W5apXScL4fSmh2dhJ1J3xg23oAexjI8MthkTuKWwjUsruW+zyl
7wbdQRGFex6VYattVLagoaXocOLi4S87U2GXgn2/eJB/zwB/uJIec/wdzP2YNFeZ
hnGcfg6/VmwoKy/HlzYCFe0QHrwbzSG/mbWSnk87Gp5WM26xnxiMUoDmwbcxRFvq
q6KaXRQGJz4gYgNdSOZ2fHSFDN66hUm7YOBMYx6hTklt3+uDdJYNpH/FCN8BEKf8
UypPqu5vorkdw/I4kT+4v5xbzWK06UQm9hNeLdxYFYSdfAYljfUyseVdmyGfBdY=
=qvqr
-END PGP SIGNATURE-

Re: 1.8.x vote urgently needed!

[Stefan Fuhrmann]

On 30.06.2017 16:38, Daniel Shahaf wrote:

Stefan Sperling wrote on Fri, 30 Jun 2017 16:10 +0200:

We need an additional vote now in order to roll a 1.8 tarball today.

Can anyone help?

  * r1785737, r1785738, r1785734, r1786447, r1785754, r1786445, r1786446, 
r1786515, r1794611, r1800387
Make FSFS consistency no longer depend on hash algorithms.
Justification:
  This eliminates any existing or future FSFS vulnerability due to
  attacks on MD5 or SHA1.
Branch:
  ^/subversion/branches/1.8.x-strict-rep-sharing
Notes:
  Depends on r1759116 for correctness with older APR.
  While the backport code is very close to the /trunk changes, it is
  easier to review them as r1787637, r1787638 and r1787652 on the branch.
  [Will create a text conflict with the r1785053 backport.  Depending on
  which change gets merged first, the respective other must be updated.]
  r1800387 did the above merge and resolved the text conflicts.
Votes:
  +1: stefan2, stsp
  -1: rhuijben (Until some additional fix like on 1.9 is applied. After 
that +1
on the current changes)


Note that stefan2's and rhuijben's votes should be marked "(without r1800387)".


I updated my vote.

-- Stefan^2.