[RESULT][VOTE] Apache Thrift 0.20.0-rc0 release candidate

2024-02-11 Thread Jens Geyer 

Hi all,

We have one +1 and one -1 vote.

The vote for the Apache Thrift 0.20.0 release candidate 0 is NOT successful.

Thank you to all who helped test and verify.

Voting Thread:
https://lists.apache.org/thread/gt1xhdlqqh3r51q1olp6tksvks746oh5

Summary:
+1: Jens Geyer
-1: Yuxuan Wang

Have fun,
JensG



Am 04.02.2024 um 15:54 schrieb Jens Geyer:

All,

I propose that we accept the following release candidate as the official 
Apache Thrift 0.20.0 release:


https://dist.apache.org/repos/dist/dev/thrift/0.20.0-rc0/thrift-0.20.0.tar.gz

The release candidate was created from the release/0.20.0 branch and can 
be cloned using:


git clone -b release/0.20.0 https://github.com/apache/thrift.git

The release candidates GPG signature can be found at:
https://dist.apache.org/repos/dist/dev/thrift/0.20.0-rc0/thrift-0.20.0.tar.gz.asc

The release candidates checksums are:
md5: 4f18ac2105791269e6f877da0090248d
sha1: f5fcd41700680d7d6a755aba7a34a482ea21a455
sha256: fca0ae48a127659eaa5ee1c642c08d96dc4f6667a8514702c29f79bb4c8488f3



A prebuilt statically-linked Windows compiler is available at:
https://dist.apache.org/repos/dist/dev/thrift/0.20.0-rc0/thrift-0.20.0.exe

Prebuilt statically-linked Windows compiler GPG signature:
https://dist.apache.org/repos/dist/dev/thrift/0.20.0-rc0/thrift-0.20.0.exe.asc

Prebuilt statically-linked Windows compiler checksums are:
md5: 9e2dc5749602803ebbb9cb68f90ac8ef
sha1: 194bf921d0de78ffa5de47b18ddd00a9a8bffb03
sha256: 79ba296e83bc348ab09419d601f027e3219c2d61f32da97f26d3b684b69dd2fe


The CHANGES list for this release is available at:
https://github.com/apache/thrift/blob/0.20.0/CHANGES.md


Please download, verify sig/sum, install and test the libraries and 
languages of your choice.



I start this voting thread with my own +1 vote.


This vote will close in 129 hours on 2024-02-10 00:00 UTC
https://www.timeanddate.com/countdown/generic?iso=20240210T=1440

[ ] +1 Release this as Apache Thrift 0.20.0
[ ] +0
[ ] -1 Do not release this as Apache Thrift 0.20.0 because...

Have fun,
JensG




OpenPGP_0x76BD340FC4B75865.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[jira] [Comment Edited] (THRIFT-5688) Publish python package to pypi for recent releases

2024-02-11 Thread Jens Geyer (Jira) 


[ 
https://issues.apache.org/jira/browse/THRIFT-5688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816396#comment-17816396
 ] 

Jens Geyer edited comment on THRIFT-5688 at 2/11/24 11:55 AM:
--

> thrift-test 0.21.0

To prevent conflicts I want to emphasize this

[https://www.apache.org/legal/release-policy.html#policy] 


was (Author: jensg):
> thrift-test 0.21.0

Top prevent conflicts I want to emphasize this

[https://www.apache.org/legal/release-policy.html#policy] 

> Publish python package to pypi for recent releases
> --
>
> Key: THRIFT-5688
> URL: https://issues.apache.org/jira/browse/THRIFT-5688
> Project: Thrift
>  Issue Type: Bug
>  Components: Python - Library
>Affects Versions: 0.17.0, 0.18.0, 0.18.1
>Reporter: Yuxuan Wang
>Assignee: Yuxuan Wang
>Priority: Major
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> Currently the latest version published to pypi is 0.16.0: 
> https://pypi.org/project/thrift/#history
> We probably should update the release runbook regarding this step, and also 
> publish 0.17.0, 0.18.0 and 0.18.1 to pypi.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (THRIFT-5688) Publish python package to pypi for recent releases

2024-02-11 Thread Jens Geyer (Jira) 


[ 
https://issues.apache.org/jira/browse/THRIFT-5688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816396#comment-17816396
 ] 

Jens Geyer commented on THRIFT-5688:


> thrift-test 0.21.0

Top prevent conflicts I want to emphasize this

[https://www.apache.org/legal/release-policy.html#policy] 

> Publish python package to pypi for recent releases
> --
>
> Key: THRIFT-5688
> URL: https://issues.apache.org/jira/browse/THRIFT-5688
> Project: Thrift
>  Issue Type: Bug
>  Components: Python - Library
>Affects Versions: 0.17.0, 0.18.0, 0.18.1
>Reporter: Yuxuan Wang
>Assignee: Yuxuan Wang
>Priority: Major
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> Currently the latest version published to pypi is 0.16.0: 
> https://pypi.org/project/thrift/#history
> We probably should update the release runbook regarding this step, and also 
> publish 0.17.0, 0.18.0 and 0.18.1 to pypi.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: PyPi again

2024-02-11 Thread Jens Geyer 

Hi,

Did that last week or so.

Have fun,

JensG



Am 06.02.2024 um 23:28 schrieb Yuxuan Wang:

Hi Jens, can you also add me to the test pypi project:
https://test.pypi.org/project/thrift/? My username is
https://test.pypi.org/user/fishy/

With how pypi works, I will need to test it on test pypi first before doing
it for the real pypi.

On Fri, Jan 19, 2024 at 2:21 PM Jens Geyer  wrote:


Hi,

  > The image is:

I see. Not sure if I can do this, since I have no access to project
settings. Maybe INFRA can.

Have fun,

JensG



Am 18.01.2024 um 23:58 schrieb Yuxuan Wang:

My pypi account is fishy:

https://protect.checkpoint.com/v2/___https://pypi.org/user/fishy/___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkZGNjOjM3OWQyYjk2NDgzZjk0MWVhZDdiMmMwMDY1MDA5ZTQzZDM5YWJiNDk4NjVjMWJjZThjY2FiMjE1YzA0ZWM4NmQ6cDpU

The image is:

https://protect.checkpoint.com/v2/___https://imgur.com/a/vkehdiF___.YzJ1OnJlZGRpdDpjOmc6MDg0MmRmZjE0YjI0MDBkNWY4YTk5ZDM2MjAzMDExY2E6NjpkMTcxOjJlNjRkOTc3NTQ1NDAzNTU5YmQ4MmQ4NzliYzU4YWQyOWFiMGRiNzc4ZTE0YTNjNWQ4YzlkOWFmZjRkNjczNWY6cDpU

On Thu, Jan 18, 2024 at 2:49 PM Jens Geyer

wrote:

Hi,


I can't see the picture and I don't have your pypi username. I tried the
email but that did not work.


Have fun,

jensG


Am 17.01.2024 um 02:11 schrieb Yuxuan Wang:

I just logged into my pypi account (I was there to register an
account, and it turns out I already have one, which I have no memory
of, and I do not have any projects published there), it seems that
they actually have an automated way to create the github actions for
you automatically:

https://protect.checkpoint.com/v2/___https://docs.pypi.org/trusted-publishers/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjoxYjIzOjE1MTU3M2QyZTExNGEzOTE5NjIxYjUzYjgyNDBhNzMxODQzN2U1ZWNmMGQ1MzMzM2EwMTY3NGFlNzk1MDA0YTI6cDpU

But I would assume that might require that I have admin access to the
github repo (not sure yet, as I don't have any other project to test),
so if you are fine with that (e.g. add me to the PyPi maintainer list,
I try to use that approach, if it doesn't work, give me admin access
to the github repo), I'm fine :)

Also, there's a recent pytorch supply chain attach report
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjphNDlkOjFkYmFiNzllNjc5NzIxNWQwMjFiZWFhY2JkZjYxNGQ3NTM2OTFlMmUzOTJkYWUyMjkxMTNlYTZmMzllYjNkMDU6cDpU

which will be relevant to us if we choose to use github actions to
auto publish to pypi, then we probably should follow their suggested
mitigation
<

https://protect.checkpoint.com/v2/___https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/%23mitigations___.YzJ1OnJlZGRpdDpjOmc6OGFlODQ5M2ZiYWZjYTc2OTg1MWFlOWVlN2Y1NGI3YzI6NjpjNDZkOjhlZjYzM2ZkOGEzNjMyNDk1OTk1OGE2MjBhZWIyNDUzMmU2Mzg4NjYzMDBkODJkNTUxYmViY2JkY2E2MDE1NjU6cDpU

,

which is to change to "Require approval for all outside collaborators":
image.png
(changing this setting on github also requires admin access, the
screenshot is taken from a repo I have admin access on)

On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer

wrote:

  I can probably add you to the PyPi maintainer list. Would that

help?


  Am 12.01.2024 um 23:19 schrieb Yuxuan Wang:
  > IMHO there are two issues with the pypi publishing problem:
  technical and
  > non-technical.
  >
  > The non-technical issue is the credential/secret required to
  publish to
  >


https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU

.

  Any of the technical solution also
  > depends on that being available.
  >
  > Once we have it (in github actions secret store, for example),

then

  > technical solution is not the hard part. As I mentioned in the
  jira thread
  > Reddit already has a github action pipeline to publish to pypi
  on git tag
  > we can upstream to thrift project to be used (so whenever a
  maintainer
  > pushes a tag to github, github actions auto publishes to pypi).
  Or others
  > can contribute other solutions.
  >
  > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer

wrote:

  >
  >> @all,
  >>
  >> I just want to bring up that topic again. There is a rather
  frequent
  >> stream of (absolutely legitimate) questions regarding the PyPi
  packages
  >> not being published.
  >>
  >> So it seems fair to say that there is obviously a certain
  demand within
  >> the community, which is super great. Now on the other hand we
  have no
  >> noteworthy reactions from that very same community to help with
  that