[RESULT][VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hello Incubator PMC and Community, The vote to release Apache Answer(Incubating) v1.2.1-RC1 has passed with 5 +1 binding and 1 +1 non-binding votes, no +0 or -1 votes. 5 (+1 binding) Justin McLean Christofer Dutz tison Willem Jiang Ayush Saxena 1 (+1 non-binding) Xuanwo no further 0 or -1 votes. The vote thread: https://lists.apache.org/thread/trv31711tdwh55mgdyf64n9lz7kjkloj Thanks for reviewing and voting for our release candidate. We will proceed with publishing the approved artifacts and sending out the announcement soon. Thanks, LinkinStar
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 (Binding) * Verified Checksums * Verified Signatures * LICENSE/NOTICE exists * Disclaimer file exists. * Validated no diff b/w the git tag & src tar contents. * Download links are valid. * Has Incubating in name * No unexpected binaries * Validated files have ASF header Thanx for driving the release. Good Luck!!! -Ayush On Sat, 6 Jan 2024 at 12:52, Willem Jiang wrote: > > +1 binding > > Here is what I checked: > [x] Download links are valid. > [x] Checksums and signatures. > [x] LICENSE/NOTICE files exist > [x] DISCLAIMER files exist > [x] Artifacts has the Incubating in the name > [x] No unexpected binary files > > > Willem Jiang > > Twitter: willemjiang > Weibo: 姜宁willem > > > On Mon, Dec 25, 2023 at 10:55 AM LinkinStar wrote: > > > > Hello, > > > > This is a call for vote to release Apache Answer(Incubating) version > > v1.2.1-RC1. > > > > There was an issue with the previous signature, so I re-signed the > > release files. The previous vote was > > https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp. > > > > The vote thread: > > https://lists.apache.org/thread/nlvtcsc8dxowqjy3vdd1d7cvm0pk0w0o > > > > Vote Result: > > https://lists.apache.org/thread/327wbzwr61kyjnkv35v1ppvnzh103myo > > > > The release candidates: > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > Release notes: > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git tag for the release: > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git commit id for the release: > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > > Keys to verify the Release Candidate: > > The artifacts signed with PGP key [C34934CC], corresponding to [ > > linkins...@apache.org], that can be found in keys file: > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > > The vote will be open for at least 72 hours or until the necessary > > number of votes are reached. > > > > Please vote accordingly: > > > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > Checklist for reference: > > > > [ ] Download links are valid. > > [ ] Checksums and PGP signatures are valid. > > [ ] Source code distributions have correct names matching the current > > release. > > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > [ ] All files have license headers if necessary. > > [ ] No unlicensed compiled archives bundled in source archive. > > > > To compile from the source, please refer to: > > > > https://github.com/apache/incubator-answer#building-from-source > > > > Thanks, > > LinkinStar > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 binding Here is what I checked: [x] Download links are valid. [x] Checksums and signatures. [x] LICENSE/NOTICE files exist [x] DISCLAIMER files exist [x] Artifacts has the Incubating in the name [x] No unexpected binary files Willem Jiang Twitter: willemjiang Weibo: 姜宁willem On Mon, Dec 25, 2023 at 10:55 AM LinkinStar wrote: > > Hello, > > This is a call for vote to release Apache Answer(Incubating) version > v1.2.1-RC1. > > There was an issue with the previous signature, so I re-signed the > release files. The previous vote was > https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp. > > The vote thread: > https://lists.apache.org/thread/nlvtcsc8dxowqjy3vdd1d7cvm0pk0w0o > > Vote Result: > https://lists.apache.org/thread/327wbzwr61kyjnkv35v1ppvnzh103myo > > The release candidates: > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > Release notes: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git tag for the release: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git commit id for the release: > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > Keys to verify the Release Candidate: > The artifacts signed with PGP key [C34934CC], corresponding to [ > linkins...@apache.org], that can be found in keys file: > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > The vote will be open for at least 72 hours or until the necessary > number of votes are reached. > > Please vote accordingly: > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove with the reason > > Checklist for reference: > > [ ] Download links are valid. > [ ] Checksums and PGP signatures are valid. > [ ] Source code distributions have correct names matching the current > release. > [ ] LICENSE and NOTICE files are correct for each Answer repo. > [ ] All files have license headers if necessary. > [ ] No unlicensed compiled archives bundled in source archive. > > To compile from the source, please refer to: > > https://github.com/apache/incubator-answer#building-from-source > > Thanks, > LinkinStar - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 binding + Download links valid + Checksum and signature matched + LICENSE and NOTICE present + DISCLAIMER present + Can compile from source Best, tison. Christofer Dutz 于2024年1月5日周五 23:39写道: > > Oh sorry for the late reply … I must have missed these … sorry, > > But I agree with Wilfried … for me these files are just as in other projects > a maven pom. > A manual decision of the project to what goes in the project. Therefore would > I also think a header is appropriate. In PLC4Go we have it exactly that way: > the go.mod has a header and the go.sum doesn’t (It’s actually not even > checked in … I think) > > Chris > > > Von: tison > Datum: Mittwoch, 3. Januar 2024 um 10:33 > An: general@incubator.apache.org > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > > I would agree with adding a header. > > Yep it's easily to add one, like what Fury did [1]. > > > It is maintained mostly by hand > > ... while I generally just run `go mod tidy` and `go get` to let it > generate the necessary go.mod. > > Best, > tison. > > [1] https://github.com/apache/incubator-fury/blob/main/go/fury/go.mod > > Wilfred Spiegelenburg 于2024年1月3日周三 17:29写道: > > > > On 2024/01/03 08:24:10 tison wrote: > > > > go.mod could have an apache header > > > > > > go.mod doesn't seems something creative but a bookkeeping index. I > > > wonder if we should add license header for such files. > > > > go.mod is part of the project and lists the import and versions. It is > > maintained mostly by hand, partially via tools (layout and indirect ref > > etc), I would agree with adding a header. > > go.sum on the other hand is maintained by tools only based on the go.mod > > content. No header in that file as it causes issues, > > > > Wilfred > > > > > > > > Best, > > > tison. > > > > > > Christofer Dutz 于2024年1月3日周三 16:19写道: > > > > > > > > +1 (binding) > > > > > > > > However, I did find, that it seems to be impossible to build from > > > > sources, if the sources are unpacked from the src-archive instead of > > > > checked out. This should be addressed in future releases. > > > > > > > > Chris > > > > > > > > [OK] Download all staged artifacts under the url specified in the > > > > release vote email. > > > > [OK] Verify the signature is correct. > > > > [OK] Check if the signature references an Apache email address. > > > > [OK] Verify the SHA512 hashes. > > > > [OK] Unzip the archive. > > > > [OK] Verify the artifacts have “apache” and “incubating” in their names > > > > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files > > > > in the extracted source bundle. > > > > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in > > > > the extracted source bundle. > > > > > > > > * Using non-WIP disclaimer, doing the thorough checks. > > > > * NOTICE contains 2023, but as the RC was created 2023, no issue > > > > [OK] Run RAT externally to ensure there are no surprises. > > > > > > > > * go.mod could have an apache header > > > > * docs/img/logo.svg could have an apache header > > > > * ui/src/assets/images/default-avatar.svg could have an apache > > > > header > > > > [OK] Search for SNAPSHOT references > > > > [OK] Search for Copyright references, and if they are in headers, make > > > > sure these files containing them are mentioned in the LICENSE file. > > > > [MINOR] Build the project according to the information in the README.md > > > > file. > > > > > > > > * Readme could use an addition to add mockgen to the prerequisites > > > > * When building the second part “make build” I’m getting a fatal > > > > error: > > > > * “fatal: not a git repository (or any of the parent > > > > directories): .git” > > > > > > > > > > > > Von: Justin Mclean > > > > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > > > > An: incubator general apache > > > > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 > > > > (Round2) > > > > Hi, > > > > > > > > +1 (binding) > > > > > > > > In the source release, I checked: > > > > - incubating in artifacts name > >
AW: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Oh sorry for the late reply … I must have missed these … sorry, But I agree with Wilfried … for me these files are just as in other projects a maven pom. A manual decision of the project to what goes in the project. Therefore would I also think a header is appropriate. In PLC4Go we have it exactly that way: the go.mod has a header and the go.sum doesn’t (It’s actually not even checked in … I think) Chris Von: tison Datum: Mittwoch, 3. Januar 2024 um 10:33 An: general@incubator.apache.org Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > I would agree with adding a header. Yep it's easily to add one, like what Fury did [1]. > It is maintained mostly by hand ... while I generally just run `go mod tidy` and `go get` to let it generate the necessary go.mod. Best, tison. [1] https://github.com/apache/incubator-fury/blob/main/go/fury/go.mod Wilfred Spiegelenburg 于2024年1月3日周三 17:29写道: > > On 2024/01/03 08:24:10 tison wrote: > > > go.mod could have an apache header > > > > go.mod doesn't seems something creative but a bookkeeping index. I > > wonder if we should add license header for such files. > > go.mod is part of the project and lists the import and versions. It is > maintained mostly by hand, partially via tools (layout and indirect ref etc), > I would agree with adding a header. > go.sum on the other hand is maintained by tools only based on the go.mod > content. No header in that file as it causes issues, > > Wilfred > > > > > Best, > > tison. > > > > Christofer Dutz 于2024年1月3日周三 16:19写道: > > > > > > +1 (binding) > > > > > > However, I did find, that it seems to be impossible to build from > > > sources, if the sources are unpacked from the src-archive instead of > > > checked out. This should be addressed in future releases. > > > > > > Chris > > > > > > [OK] Download all staged artifacts under the url specified in the release > > > vote email. > > > [OK] Verify the signature is correct. > > > [OK] Check if the signature references an Apache email address. > > > [OK] Verify the SHA512 hashes. > > > [OK] Unzip the archive. > > > [OK] Verify the artifacts have “apache” and “incubating” in their names > > > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in > > > the extracted source bundle. > > > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in > > > the extracted source bundle. > > > > > > * Using non-WIP disclaimer, doing the thorough checks. > > > * NOTICE contains 2023, but as the RC was created 2023, no issue > > > [OK] Run RAT externally to ensure there are no surprises. > > > > > > * go.mod could have an apache header > > > * docs/img/logo.svg could have an apache header > > > * ui/src/assets/images/default-avatar.svg could have an apache header > > > [OK] Search for SNAPSHOT references > > > [OK] Search for Copyright references, and if they are in headers, make > > > sure these files containing them are mentioned in the LICENSE file. > > > [MINOR] Build the project according to the information in the README.md > > > file. > > > > > > * Readme could use an addition to add mockgen to the prerequisites > > > * When building the second part “make build” I’m getting a fatal > > > error: > > > * “fatal: not a git repository (or any of the parent directories): > > > .git” > > > > > > > > > Von: Justin Mclean > > > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > > > An: incubator general apache > > > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > > > Hi, > > > > > > +1 (binding) > > > > > > In the source release, I checked: > > > - incubating in artifacts name > > > - signatures and hashes are correct > > > - LICENSE and NOTICE are fine > > > - DISCLAIMER exists > > > - all files have ASF headers > > > - no unexpected binary files > > > - my system isn't setup to compile it > > > > > > In the REDME.md it suggests that people run the latest non-released > > > version; please don't do this. [1] > > > > > > Kind Regards, > > > Justin > > > > > > 1. https://www.apache.org/legal/release-policy.html#what > > > > - > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
> I would agree with adding a header. Yep it's easily to add one, like what Fury did [1]. > It is maintained mostly by hand ... while I generally just run `go mod tidy` and `go get` to let it generate the necessary go.mod. Best, tison. [1] https://github.com/apache/incubator-fury/blob/main/go/fury/go.mod Wilfred Spiegelenburg 于2024年1月3日周三 17:29写道: > > On 2024/01/03 08:24:10 tison wrote: > > > go.mod could have an apache header > > > > go.mod doesn't seems something creative but a bookkeeping index. I > > wonder if we should add license header for such files. > > go.mod is part of the project and lists the import and versions. It is > maintained mostly by hand, partially via tools (layout and indirect ref etc), > I would agree with adding a header. > go.sum on the other hand is maintained by tools only based on the go.mod > content. No header in that file as it causes issues, > > Wilfred > > > > > Best, > > tison. > > > > Christofer Dutz 于2024年1月3日周三 16:19写道: > > > > > > +1 (binding) > > > > > > However, I did find, that it seems to be impossible to build from > > > sources, if the sources are unpacked from the src-archive instead of > > > checked out. This should be addressed in future releases. > > > > > > Chris > > > > > > [OK] Download all staged artifacts under the url specified in the release > > > vote email. > > > [OK] Verify the signature is correct. > > > [OK] Check if the signature references an Apache email address. > > > [OK] Verify the SHA512 hashes. > > > [OK] Unzip the archive. > > > [OK] Verify the artifacts have “apache” and “incubating” in their names > > > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in > > > the extracted source bundle. > > > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in > > > the extracted source bundle. > > > > > > * Using non-WIP disclaimer, doing the thorough checks. > > > * NOTICE contains 2023, but as the RC was created 2023, no issue > > > [OK] Run RAT externally to ensure there are no surprises. > > > > > > * go.mod could have an apache header > > > * docs/img/logo.svg could have an apache header > > > * ui/src/assets/images/default-avatar.svg could have an apache header > > > [OK] Search for SNAPSHOT references > > > [OK] Search for Copyright references, and if they are in headers, make > > > sure these files containing them are mentioned in the LICENSE file. > > > [MINOR] Build the project according to the information in the README.md > > > file. > > > > > > * Readme could use an addition to add mockgen to the prerequisites > > > * When building the second part “make build” I’m getting a fatal > > > error: > > > * “fatal: not a git repository (or any of the parent directories): > > > .git” > > > > > > > > > Von: Justin Mclean > > > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > > > An: incubator general apache > > > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > > > Hi, > > > > > > +1 (binding) > > > > > > In the source release, I checked: > > > - incubating in artifacts name > > > - signatures and hashes are correct > > > - LICENSE and NOTICE are fine > > > - DISCLAIMER exists > > > - all files have ASF headers > > > - no unexpected binary files > > > - my system isn't setup to compile it > > > > > > In the REDME.md it suggests that people run the latest non-released > > > version; please don't do this. [1] > > > > > > Kind Regards, > > > Justin > > > > > > 1. https://www.apache.org/legal/release-policy.html#what > > > > - > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
On 2024/01/03 08:24:10 tison wrote: > > go.mod could have an apache header > > go.mod doesn't seems something creative but a bookkeeping index. I > wonder if we should add license header for such files. go.mod is part of the project and lists the import and versions. It is maintained mostly by hand, partially via tools (layout and indirect ref etc), I would agree with adding a header. go.sum on the other hand is maintained by tools only based on the go.mod content. No header in that file as it causes issues, Wilfred > > Best, > tison. > > Christofer Dutz 于2024年1月3日周三 16:19写道: > > > > +1 (binding) > > > > However, I did find, that it seems to be impossible to build from sources, > > if the sources are unpacked from the src-archive instead of checked out. > > This should be addressed in future releases. > > > > Chris > > > > [OK] Download all staged artifacts under the url specified in the release > > vote email. > > [OK] Verify the signature is correct. > > [OK] Check if the signature references an Apache email address. > > [OK] Verify the SHA512 hashes. > > [OK] Unzip the archive. > > [OK] Verify the artifacts have “apache” and “incubating” in their names > > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in > > the extracted source bundle. > > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in the > > extracted source bundle. > > > > * Using non-WIP disclaimer, doing the thorough checks. > > * NOTICE contains 2023, but as the RC was created 2023, no issue > > [OK] Run RAT externally to ensure there are no surprises. > > > > * go.mod could have an apache header > > * docs/img/logo.svg could have an apache header > > * ui/src/assets/images/default-avatar.svg could have an apache header > > [OK] Search for SNAPSHOT references > > [OK] Search for Copyright references, and if they are in headers, make sure > > these files containing them are mentioned in the LICENSE file. > > [MINOR] Build the project according to the information in the README.md > > file. > > > > * Readme could use an addition to add mockgen to the prerequisites > > * When building the second part “make build” I’m getting a fatal error: > > * “fatal: not a git repository (or any of the parent directories): > > .git” > > > > > > Von: Justin Mclean > > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > > An: incubator general apache > > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > > Hi, > > > > +1 (binding) > > > > In the source release, I checked: > > - incubating in artifacts name > > - signatures and hashes are correct > > - LICENSE and NOTICE are fine > > - DISCLAIMER exists > > - all files have ASF headers > > - no unexpected binary files > > - my system isn't setup to compile it > > > > In the REDME.md it suggests that people run the latest non-released > > version; please don't do this. [1] > > > > Kind Regards, > > Justin > > > > 1. https://www.apache.org/legal/release-policy.html#what > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hi Christofer, Thank you very much for your suggestions. As you said, we'll improve the build instructions in future releases. I have the same question as tison, does the go.mod need to add an ASF header. I looked at other Apache projects that use golang and found that other repositories have not been added either. [1] Best regards, LinkinStar 1. https://github.com/apache/dubbo-go/blob/main/go.mod On Wed, Jan 3, 2024 at 4:19 PM Christofer Dutz wrote: > +1 (binding) > > However, I did find, that it seems to be impossible to build from sources, > if the sources are unpacked from the src-archive instead of checked out. > This should be addressed in future releases. > > Chris > > [OK] Download all staged artifacts under the url specified in the release > vote email. > [OK] Verify the signature is correct. > [OK] Check if the signature references an Apache email address. > [OK] Verify the SHA512 hashes. > [OK] Unzip the archive. > [OK] Verify the artifacts have “apache” and “incubating” in their names > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in > the extracted source bundle. > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in > the extracted source bundle. > > * Using non-WIP disclaimer, doing the thorough checks. > * NOTICE contains 2023, but as the RC was created 2023, no issue > [OK] Run RAT externally to ensure there are no surprises. > > * go.mod could have an apache header > * docs/img/logo.svg could have an apache header > * ui/src/assets/images/default-avatar.svg could have an apache header > [OK] Search for SNAPSHOT references > [OK] Search for Copyright references, and if they are in headers, make > sure these files containing them are mentioned in the LICENSE file. > [MINOR] Build the project according to the information in the README.md > file. > > * Readme could use an addition to add mockgen to the prerequisites > * When building the second part “make build” I’m getting a fatal error: > * “fatal: not a git repository (or any of the parent directories): > .git” > > > Von: Justin Mclean > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > An: incubator general apache > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > Hi, > > +1 (binding) > > In the source release, I checked: > - incubating in artifacts name > - signatures and hashes are correct > - LICENSE and NOTICE are fine > - DISCLAIMER exists > - all files have ASF headers > - no unexpected binary files > - my system isn't setup to compile it > > In the REDME.md it suggests that people run the latest non-released > version; please don't do this. [1] > > Kind Regards, > Justin > > 1. https://www.apache.org/legal/release-policy.html#what >
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
> go.mod could have an apache header go.mod doesn't seems something creative but a bookkeeping index. I wonder if we should add license header for such files. Best, tison. Christofer Dutz 于2024年1月3日周三 16:19写道: > > +1 (binding) > > However, I did find, that it seems to be impossible to build from sources, if > the sources are unpacked from the src-archive instead of checked out. This > should be addressed in future releases. > > Chris > > [OK] Download all staged artifacts under the url specified in the release > vote email. > [OK] Verify the signature is correct. > [OK] Check if the signature references an Apache email address. > [OK] Verify the SHA512 hashes. > [OK] Unzip the archive. > [OK] Verify the artifacts have “apache” and “incubating” in their names > [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in the > extracted source bundle. > [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in the > extracted source bundle. > > * Using non-WIP disclaimer, doing the thorough checks. > * NOTICE contains 2023, but as the RC was created 2023, no issue > [OK] Run RAT externally to ensure there are no surprises. > > * go.mod could have an apache header > * docs/img/logo.svg could have an apache header > * ui/src/assets/images/default-avatar.svg could have an apache header > [OK] Search for SNAPSHOT references > [OK] Search for Copyright references, and if they are in headers, make sure > these files containing them are mentioned in the LICENSE file. > [MINOR] Build the project according to the information in the README.md file. > > * Readme could use an addition to add mockgen to the prerequisites > * When building the second part “make build” I’m getting a fatal error: > * “fatal: not a git repository (or any of the parent directories): > .git” > > > Von: Justin Mclean > Datum: Mittwoch, 27. Dezember 2023 um 06:26 > An: incubator general apache > Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) > Hi, > > +1 (binding) > > In the source release, I checked: > - incubating in artifacts name > - signatures and hashes are correct > - LICENSE and NOTICE are fine > - DISCLAIMER exists > - all files have ASF headers > - no unexpected binary files > - my system isn't setup to compile it > > In the REDME.md it suggests that people run the latest non-released version; > please don't do this. [1] > > Kind Regards, > Justin > > 1. https://www.apache.org/legal/release-policy.html#what - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
AW: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 (binding) However, I did find, that it seems to be impossible to build from sources, if the sources are unpacked from the src-archive instead of checked out. This should be addressed in future releases. Chris [OK] Download all staged artifacts under the url specified in the release vote email. [OK] Verify the signature is correct. [OK] Check if the signature references an Apache email address. [OK] Verify the SHA512 hashes. [OK] Unzip the archive. [OK] Verify the artifacts have “apache” and “incubating” in their names [OK] Verify the existence of LICENSE, NOTICE, README, DISCLAIMER files in the extracted source bundle. [OK] Verify the content of LICENSE, NOTICE, README, DISCLAIMER files in the extracted source bundle. * Using non-WIP disclaimer, doing the thorough checks. * NOTICE contains 2023, but as the RC was created 2023, no issue [OK] Run RAT externally to ensure there are no surprises. * go.mod could have an apache header * docs/img/logo.svg could have an apache header * ui/src/assets/images/default-avatar.svg could have an apache header [OK] Search for SNAPSHOT references [OK] Search for Copyright references, and if they are in headers, make sure these files containing them are mentioned in the LICENSE file. [MINOR] Build the project according to the information in the README.md file. * Readme could use an addition to add mockgen to the prerequisites * When building the second part “make build” I’m getting a fatal error: * “fatal: not a git repository (or any of the parent directories): .git” Von: Justin Mclean Datum: Mittwoch, 27. Dezember 2023 um 06:26 An: incubator general apache Betreff: Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2) Hi, +1 (binding) In the source release, I checked: - incubating in artifacts name - signatures and hashes are correct - LICENSE and NOTICE are fine - DISCLAIMER exists - all files have ASF headers - no unexpected binary files - my system isn't setup to compile it In the REDME.md it suggests that people run the latest non-released version; please don't do this. [1] Kind Regards, Justin 1. https://www.apache.org/legal/release-policy.html#what
RE: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 non-binding I have checked out-dated KEYS have been removed, and the README.md file has been adjusted to recommend that users run the newest published version.
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hi, +1 (binding) In the source release, I checked: - incubating in artifacts name - signatures and hashes are correct - LICENSE and NOTICE are fine - DISCLAIMER exists - all files have ASF headers - no unexpected binary files - my system isn't setup to compile it In the REDME.md it suggests that people run the latest non-released version; please don't do this. [1] Kind Regards, Justin 1. https://www.apache.org/legal/release-policy.html#what
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hi, +1 (binding) In the source release, I checked: - incubating in artifacts name - signatures and hashes are correct - LICENSE and NOTICE are fine - DISCLAIMER exists - all files have ASF headers - no unexpected binary files - my system isn't setup to compile it In the REDME.md it suggests that people run the latest non-released version; please don't do this. [1] Kind Regards, Justin 1. https://www.apache.org/legal/release-policy.html#what
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hello Xuanwo, Thanks. The out-dated KEYS have been removed. Best regards, LinkinStar On Mon, Dec 25, 2023 at 1:00 PM Xuanwo wrote: > +1 non-binding > > [x] Download links are valid. > [x] Checksums and PGP signatures are valid. > > apache-answer-1.2.1-incubating-src.tar.gz > gpg: Signature made Wed 20 Dec 2023 05:14:06 PM CST > gpg:using RSA key 5684B6E344546A5F3CE9850D380DCBD5C34934CC > gpg: Good signature from "LinkinStar (for apache release create at > 20231220) " [ultimate] > > A small issue: KEYS should be placed in release branch. It's better to > remove the > out-dated KEYS in dev branch: > https://dist.apache.org/repos/dist/dev/incubator/answer/KEYS > > On Mon, Dec 25, 2023, at 10:52, LinkinStar wrote: > > Hello, > > > > This is a call for vote to release Apache Answer(Incubating) version > > v1.2.1-RC1. > > > > There was an issue with the previous signature, so I re-signed the > > release files. The previous vote was > > https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp. > > > > The vote thread: > > https://lists.apache.org/thread/nlvtcsc8dxowqjy3vdd1d7cvm0pk0w0o > > > > Vote Result: > > https://lists.apache.org/thread/327wbzwr61kyjnkv35v1ppvnzh103myo > > > > The release candidates: > > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > Release notes: > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git tag for the release: > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git commit id for the release: > > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > > Keys to verify the Release Candidate: > > The artifacts signed with PGP key [C34934CC], corresponding to [ > > linkins...@apache.org], that can be found in keys file: > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > > The vote will be open for at least 72 hours or until the necessary > > number of votes are reached. > > > > Please vote accordingly: > > > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > Checklist for reference: > > > > [ ] Download links are valid. > > [ ] Checksums and PGP signatures are valid. > > [ ] Source code distributions have correct names matching the current > > release. > > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > [ ] All files have license headers if necessary. > > [ ] No unlicensed compiled archives bundled in source archive. > > > > To compile from the source, please refer to: > > > > https://github.com/apache/incubator-answer#building-from-source > > > > Thanks, > > LinkinStar > > -- > Xuanwo > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
+1 non-binding [x] Download links are valid. [x] Checksums and PGP signatures are valid. apache-answer-1.2.1-incubating-src.tar.gz gpg: Signature made Wed 20 Dec 2023 05:14:06 PM CST gpg:using RSA key 5684B6E344546A5F3CE9850D380DCBD5C34934CC gpg: Good signature from "LinkinStar (for apache release create at 20231220) " [ultimate] A small issue: KEYS should be placed in release branch. It's better to remove the out-dated KEYS in dev branch: https://dist.apache.org/repos/dist/dev/incubator/answer/KEYS On Mon, Dec 25, 2023, at 10:52, LinkinStar wrote: > Hello, > > This is a call for vote to release Apache Answer(Incubating) version > v1.2.1-RC1. > > There was an issue with the previous signature, so I re-signed the > release files. The previous vote was > https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp. > > The vote thread: > https://lists.apache.org/thread/nlvtcsc8dxowqjy3vdd1d7cvm0pk0w0o > > Vote Result: > https://lists.apache.org/thread/327wbzwr61kyjnkv35v1ppvnzh103myo > > The release candidates: > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > Release notes: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git tag for the release: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git commit id for the release: > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > Keys to verify the Release Candidate: > The artifacts signed with PGP key [C34934CC], corresponding to [ > linkins...@apache.org], that can be found in keys file: > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > The vote will be open for at least 72 hours or until the necessary > number of votes are reached. > > Please vote accordingly: > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove with the reason > > Checklist for reference: > > [ ] Download links are valid. > [ ] Checksums and PGP signatures are valid. > [ ] Source code distributions have correct names matching the current > release. > [ ] LICENSE and NOTICE files are correct for each Answer repo. > [ ] All files have license headers if necessary. > [ ] No unlicensed compiled archives bundled in source archive. > > To compile from the source, please refer to: > > https://github.com/apache/incubator-answer#building-from-source > > Thanks, > LinkinStar -- Xuanwo - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[VOTE] Release Apache Answer(Incubating) v1.2.1-RC1 (Round2)
Hello, This is a call for vote to release Apache Answer(Incubating) version v1.2.1-RC1. There was an issue with the previous signature, so I re-signed the release files. The previous vote was https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp. The vote thread: https://lists.apache.org/thread/nlvtcsc8dxowqjy3vdd1d7cvm0pk0w0o Vote Result: https://lists.apache.org/thread/327wbzwr61kyjnkv35v1ppvnzh103myo The release candidates: https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ Release notes: https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 Git tag for the release: https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 Git commit id for the release: https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef Keys to verify the Release Candidate: The artifacts signed with PGP key [C34934CC], corresponding to [ linkins...@apache.org], that can be found in keys file: https://dist.apache.org/repos/dist/release/incubator/answer/KEYS The vote will be open for at least 72 hours or until the necessary number of votes are reached. Please vote accordingly: [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove with the reason Checklist for reference: [ ] Download links are valid. [ ] Checksums and PGP signatures are valid. [ ] Source code distributions have correct names matching the current release. [ ] LICENSE and NOTICE files are correct for each Answer repo. [ ] All files have license headers if necessary. [ ] No unlicensed compiled archives bundled in source archive. To compile from the source, please refer to: https://github.com/apache/incubator-answer#building-from-source Thanks, LinkinStar
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hi Justin, Exactly. The previous key will be revoked. I will re-sign it with the new key and upload it, then start the second round of voting inside dev first. Best regards, LinkinStar On Wed, Dec 20, 2023 at 4:42 PM Justin Mclean wrote: > HI, > > The previous signing key also needs to be revoked as it has been shared. > > Kind Regards, > Justn > > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
[CANCEL][VOTE] Release Apache Answer, Incubating, v1.2.1-RC1
Hello, https://lists.apache.org/thread/mrflkg9j1sv4c3obsbmw9by26sf54vvp Thanks for the suggestion from Xuanwo and Sheng Wu. So cancel this vote and we will fix the problem related to signature. Thanks, LinkinStar
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
HI, The previous signing key also needs to be revoked as it has been shared. Kind Regards, Justn - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
> Your suggestion is great, thanks again for your help and Xuanwo. I'm happy to help you. Looking forward to your next VOTE. On Wed, Dec 20, 2023, at 16:35, LinkinStar wrote: > Hello Sheng Wu, > > Your suggestion is great, thanks again for your help and Xuanwo. We're > already in the process of fixing the release process documentation and I > will cancel this vote. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 4:26 PM Sheng Wu wrote: > >> Glad to help. >> Suggest canceling this vote, and enhancing your release process doc, >> then, start a new one with a correct signature from the release >> manager. >> Notice, don't remove anyone's KEY from KEYS, ever, even it is expired. >> People may need them to verify your legacy releases in the future. >> >> Sheng Wu 吴晟 >> Twitter, wusheng1108 >> >> LinkinStar 于2023年12月20日周三 15:53写道: >> > >> > Hello Sheng Wu, >> > >> > Yes, I misunderstood. I thought KEYS can only contain one public key, no >> > other public keys are allowed to exist at the same time. That's why I was >> > forced to do this signature. It helped me solve a real problem. Thanks a >> > lot. >> > >> > Best regards, >> > LinkinStar >> > >> > On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu >> wrote: >> > >> > > KEYS is a very for all existing public keys. Not for a specific >> > > individual. Are you misunderstanding this? >> > > >> > > Sheng Wu 吴晟 >> > > Twitter, wusheng1108 >> > > >> > > LinkinStar 于2023年12月20日周三 15:31写道: >> > > > >> > > > Hi Xuanwo, >> > > > >> > > > Thank you very much for your suggestions. I'm very sorry, perhaps my >> > > > understanding of the release signature is a little misguided. This is >> > > > because we feel that there can only be one download address for KEYS, >> > > e.g. >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If >> > > there >> > > > can only be one public key, then there can only be one private key. >> So we >> > > > previously felt that all published content can always have only one >> > > private >> > > > key to sign. That's why we use this mode. Because we would think >> that if >> > > a >> > > > different person were to sign it, then the public key would change >> and >> > > the >> > > > previous release would not be verified. For example, The A RM signed >> the >> > > > released version 1.0.0. The B RM signed the released version 1.1.0. >> If B >> > > > replaces the public key >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, >> then >> > > > version 1.0.0 will fail to verify it if you use the same public key. >> > > > >> > > > Best regards, >> > > > LinkinStar >> > > > >> > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: >> > > > >> > > > > > Regarding the signature issue you mentioned, only release >> manager and >> > > > > joyqi >> > > > > > know the secret GPG keys. This is to ensure that no matter what >> the >> > > > > problem >> > > > > > is, there is someone available to help resolve issues that arise >> in >> > > the >> > > > > > release. >> > > > > >> > > > > I feel like it's better to use different gpg keys that owned by RM >> > > > > themselves. >> > > > > >> > > > > As the community expands, we'll welcome new PPMC members and >> Release >> > > > > Managers (RMs) from outside your company. Regarding security, it's >> > > risky >> > > > > for RMs to share GPG keys. In terms of community independence, the >> > > release >> > > > > process should not be overly reliant on joyqi. Should joyqi be >> > > unavailable >> > > > > or preoccupied, can the release process continue without >> interruption? >> > > > > >> > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: >> > > > > > Hi Xuanwo, >> > > > > > >> > > > > > Firstly, these files in the vaunt folder are reward badges for >> user >> > > > > > contributions. For now, we are using it. >> > > > > > Regarding the signature issue you mentioned, only release >> manager and >> > > > > joyqi >> > > > > > know the secret GPG keys. This is to ensure that no matter what >> the >> > > > > problem >> > > > > > is, there is someone available to help resolve issues that arise >> in >> > > the >> > > > > > release. >> > > > > > >> > > > > > Best regards, >> > > > > > LinkinStar >> > > > > > >> > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo >> wrote: >> > > > > > >> > > > > >> Hi, >> > > > > >> >> > > > > >> I found those images are included in source tarball: >> > > > > >> >> > > > > >> - .vaunt/bug.png >> > > > > >> - .vaunt/enhancement.png >> > > > > >> >> > > > > >> Are they needed by users? Is it possible to remove them from >> the src >> > > > > >> release? >> > > > > >> >> > > > > >> Regarding PGP signatures, I'm confident that all are valid. But >> I >> > > found >> > > > > >> that those tarball >> > > > > >> are signed by jo...@apache.org which is not the release >> manager. >> > > > > >> >> > > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? >> Or >> > > have >> > > > > >> you signed those >> > > > > >>
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hello Sheng Wu, Your suggestion is great, thanks again for your help and Xuanwo. We're already in the process of fixing the release process documentation and I will cancel this vote. Best regards, LinkinStar On Wed, Dec 20, 2023 at 4:26 PM Sheng Wu wrote: > Glad to help. > Suggest canceling this vote, and enhancing your release process doc, > then, start a new one with a correct signature from the release > manager. > Notice, don't remove anyone's KEY from KEYS, ever, even it is expired. > People may need them to verify your legacy releases in the future. > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > LinkinStar 于2023年12月20日周三 15:53写道: > > > > Hello Sheng Wu, > > > > Yes, I misunderstood. I thought KEYS can only contain one public key, no > > other public keys are allowed to exist at the same time. That's why I was > > forced to do this signature. It helped me solve a real problem. Thanks a > > lot. > > > > Best regards, > > LinkinStar > > > > On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu > wrote: > > > > > KEYS is a very for all existing public keys. Not for a specific > > > individual. Are you misunderstanding this? > > > > > > Sheng Wu 吴晟 > > > Twitter, wusheng1108 > > > > > > LinkinStar 于2023年12月20日周三 15:31写道: > > > > > > > > Hi Xuanwo, > > > > > > > > Thank you very much for your suggestions. I'm very sorry, perhaps my > > > > understanding of the release signature is a little misguided. This is > > > > because we feel that there can only be one download address for KEYS, > > > e.g. > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If > > > there > > > > can only be one public key, then there can only be one private key. > So we > > > > previously felt that all published content can always have only one > > > private > > > > key to sign. That's why we use this mode. Because we would think > that if > > > a > > > > different person were to sign it, then the public key would change > and > > > the > > > > previous release would not be verified. For example, The A RM signed > the > > > > released version 1.0.0. The B RM signed the released version 1.1.0. > If B > > > > replaces the public key > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, > then > > > > version 1.0.0 will fail to verify it if you use the same public key. > > > > > > > > Best regards, > > > > LinkinStar > > > > > > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: > > > > > > > > > > Regarding the signature issue you mentioned, only release > manager and > > > > > joyqi > > > > > > know the secret GPG keys. This is to ensure that no matter what > the > > > > > problem > > > > > > is, there is someone available to help resolve issues that arise > in > > > the > > > > > > release. > > > > > > > > > > I feel like it's better to use different gpg keys that owned by RM > > > > > themselves. > > > > > > > > > > As the community expands, we'll welcome new PPMC members and > Release > > > > > Managers (RMs) from outside your company. Regarding security, it's > > > risky > > > > > for RMs to share GPG keys. In terms of community independence, the > > > release > > > > > process should not be overly reliant on joyqi. Should joyqi be > > > unavailable > > > > > or preoccupied, can the release process continue without > interruption? > > > > > > > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > > > > Hi Xuanwo, > > > > > > > > > > > > Firstly, these files in the vaunt folder are reward badges for > user > > > > > > contributions. For now, we are using it. > > > > > > Regarding the signature issue you mentioned, only release > manager and > > > > > joyqi > > > > > > know the secret GPG keys. This is to ensure that no matter what > the > > > > > problem > > > > > > is, there is someone available to help resolve issues that arise > in > > > the > > > > > > release. > > > > > > > > > > > > Best regards, > > > > > > LinkinStar > > > > > > > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo > wrote: > > > > > > > > > > > >> Hi, > > > > > >> > > > > > >> I found those images are included in source tarball: > > > > > >> > > > > > >> - .vaunt/bug.png > > > > > >> - .vaunt/enhancement.png > > > > > >> > > > > > >> Are they needed by users? Is it possible to remove them from > the src > > > > > >> release? > > > > > >> > > > > > >> Regarding PGP signatures, I'm confident that all are valid. But > I > > > found > > > > > >> that those tarball > > > > > >> are signed by jo...@apache.org which is not the release > manager. > > > > > >> > > > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? > Or > > > have > > > > > >> you signed those > > > > > >> tarballs through CI with the key stored as GitHub secrets? > > > > > >> > > > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > > > >> > Hello, > > > > > >> > > > > > > >> > This is a call for vote to release Apache > Answer(Incubating) > > > > > version > > > > > >> > v1.2.1-RC1. > > > > > >> > > > > > > >> > The
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Glad to help. Suggest canceling this vote, and enhancing your release process doc, then, start a new one with a correct signature from the release manager. Notice, don't remove anyone's KEY from KEYS, ever, even it is expired. People may need them to verify your legacy releases in the future. Sheng Wu 吴晟 Twitter, wusheng1108 LinkinStar 于2023年12月20日周三 15:53写道: > > Hello Sheng Wu, > > Yes, I misunderstood. I thought KEYS can only contain one public key, no > other public keys are allowed to exist at the same time. That's why I was > forced to do this signature. It helped me solve a real problem. Thanks a > lot. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu wrote: > > > KEYS is a very for all existing public keys. Not for a specific > > individual. Are you misunderstanding this? > > > > Sheng Wu 吴晟 > > Twitter, wusheng1108 > > > > LinkinStar 于2023年12月20日周三 15:31写道: > > > > > > Hi Xuanwo, > > > > > > Thank you very much for your suggestions. I'm very sorry, perhaps my > > > understanding of the release signature is a little misguided. This is > > > because we feel that there can only be one download address for KEYS, > > e.g. > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If > > there > > > can only be one public key, then there can only be one private key. So we > > > previously felt that all published content can always have only one > > private > > > key to sign. That's why we use this mode. Because we would think that if > > a > > > different person were to sign it, then the public key would change and > > the > > > previous release would not be verified. For example, The A RM signed the > > > released version 1.0.0. The B RM signed the released version 1.1.0. If B > > > replaces the public key > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > > > version 1.0.0 will fail to verify it if you use the same public key. > > > > > > Best regards, > > > LinkinStar > > > > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: > > > > > > > > Regarding the signature issue you mentioned, only release manager and > > > > joyqi > > > > > know the secret GPG keys. This is to ensure that no matter what the > > > > problem > > > > > is, there is someone available to help resolve issues that arise in > > the > > > > > release. > > > > > > > > I feel like it's better to use different gpg keys that owned by RM > > > > themselves. > > > > > > > > As the community expands, we'll welcome new PPMC members and Release > > > > Managers (RMs) from outside your company. Regarding security, it's > > risky > > > > for RMs to share GPG keys. In terms of community independence, the > > release > > > > process should not be overly reliant on joyqi. Should joyqi be > > unavailable > > > > or preoccupied, can the release process continue without interruption? > > > > > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > > > Hi Xuanwo, > > > > > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > > > contributions. For now, we are using it. > > > > > Regarding the signature issue you mentioned, only release manager and > > > > joyqi > > > > > know the secret GPG keys. This is to ensure that no matter what the > > > > problem > > > > > is, there is someone available to help resolve issues that arise in > > the > > > > > release. > > > > > > > > > > Best regards, > > > > > LinkinStar > > > > > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> I found those images are included in source tarball: > > > > >> > > > > >> - .vaunt/bug.png > > > > >> - .vaunt/enhancement.png > > > > >> > > > > >> Are they needed by users? Is it possible to remove them from the src > > > > >> release? > > > > >> > > > > >> Regarding PGP signatures, I'm confident that all are valid. But I > > found > > > > >> that those tarball > > > > >> are signed by jo...@apache.org which is not the release manager. > > > > >> > > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or > > have > > > > >> you signed those > > > > >> tarballs through CI with the key stored as GitHub secrets? > > > > >> > > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > > >> > Hello, > > > > >> > > > > > >> > This is a call for vote to release Apache Answer(Incubating) > > > > version > > > > >> > v1.2.1-RC1. > > > > >> > > > > > >> > The vote thread: > > > > >> > > > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > > >> > > > > > >> > Vote Result: > > > > >> > > > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > > >> > > > > > >> > The release candidates: > > > > >> > > > > > >> > > > > > >> > > > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > >> > > > > > >> > Release notes: > > > > >> > > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > >
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hello Sheng Wu, Yes, I misunderstood. I thought KEYS can only contain one public key, no other public keys are allowed to exist at the same time. That's why I was forced to do this signature. It helped me solve a real problem. Thanks a lot. Best regards, LinkinStar On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu wrote: > KEYS is a very for all existing public keys. Not for a specific > individual. Are you misunderstanding this? > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > LinkinStar 于2023年12月20日周三 15:31写道: > > > > Hi Xuanwo, > > > > Thank you very much for your suggestions. I'm very sorry, perhaps my > > understanding of the release signature is a little misguided. This is > > because we feel that there can only be one download address for KEYS, > e.g. > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If > there > > can only be one public key, then there can only be one private key. So we > > previously felt that all published content can always have only one > private > > key to sign. That's why we use this mode. Because we would think that if > a > > different person were to sign it, then the public key would change and > the > > previous release would not be verified. For example, The A RM signed the > > released version 1.0.0. The B RM signed the released version 1.1.0. If B > > replaces the public key > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > > version 1.0.0 will fail to verify it if you use the same public key. > > > > Best regards, > > LinkinStar > > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: > > > > > > Regarding the signature issue you mentioned, only release manager and > > > joyqi > > > > know the secret GPG keys. This is to ensure that no matter what the > > > problem > > > > is, there is someone available to help resolve issues that arise in > the > > > > release. > > > > > > I feel like it's better to use different gpg keys that owned by RM > > > themselves. > > > > > > As the community expands, we'll welcome new PPMC members and Release > > > Managers (RMs) from outside your company. Regarding security, it's > risky > > > for RMs to share GPG keys. In terms of community independence, the > release > > > process should not be overly reliant on joyqi. Should joyqi be > unavailable > > > or preoccupied, can the release process continue without interruption? > > > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > > Hi Xuanwo, > > > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > > contributions. For now, we are using it. > > > > Regarding the signature issue you mentioned, only release manager and > > > joyqi > > > > know the secret GPG keys. This is to ensure that no matter what the > > > problem > > > > is, there is someone available to help resolve issues that arise in > the > > > > release. > > > > > > > > Best regards, > > > > LinkinStar > > > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > > > > > > > >> Hi, > > > >> > > > >> I found those images are included in source tarball: > > > >> > > > >> - .vaunt/bug.png > > > >> - .vaunt/enhancement.png > > > >> > > > >> Are they needed by users? Is it possible to remove them from the src > > > >> release? > > > >> > > > >> Regarding PGP signatures, I'm confident that all are valid. But I > found > > > >> that those tarball > > > >> are signed by jo...@apache.org which is not the release manager. > > > >> > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or > have > > > >> you signed those > > > >> tarballs through CI with the key stored as GitHub secrets? > > > >> > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > >> > Hello, > > > >> > > > > >> > This is a call for vote to release Apache Answer(Incubating) > > > version > > > >> > v1.2.1-RC1. > > > >> > > > > >> > The vote thread: > > > >> > > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > >> > > > > >> > Vote Result: > > > >> > > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > >> > > > > >> > The release candidates: > > > >> > > > > >> > > > > >> > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > >> > > > > >> > Release notes: > > > >> > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > >> > > > > >> > Git tag for the release: > > > >> > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > >> > > > > >> > Git commit id for the release: > > > >> > > > > >> > > > > >> > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > >> > > > > >> > Keys to verify the Release Candidate: > > > >> > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > >> > > > > >> > The vote will be open for at least 72 hours or until the > necessary > > > >> > number of votes are reached. > > > >> > > > > >> >
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
KEYS is a very for all existing public keys. Not for a specific individual. Are you misunderstanding this? Sheng Wu 吴晟 Twitter, wusheng1108 LinkinStar 于2023年12月20日周三 15:31写道: > > Hi Xuanwo, > > Thank you very much for your suggestions. I'm very sorry, perhaps my > understanding of the release signature is a little misguided. This is > because we feel that there can only be one download address for KEYS, e.g. > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If there > can only be one public key, then there can only be one private key. So we > previously felt that all published content can always have only one private > key to sign. That's why we use this mode. Because we would think that if a > different person were to sign it, then the public key would change and the > previous release would not be verified. For example, The A RM signed the > released version 1.0.0. The B RM signed the released version 1.1.0. If B > replaces the public key > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > version 1.0.0 will fail to verify it if you use the same public key. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: > > > > Regarding the signature issue you mentioned, only release manager and > > joyqi > > > know the secret GPG keys. This is to ensure that no matter what the > > problem > > > is, there is someone available to help resolve issues that arise in the > > > release. > > > > I feel like it's better to use different gpg keys that owned by RM > > themselves. > > > > As the community expands, we'll welcome new PPMC members and Release > > Managers (RMs) from outside your company. Regarding security, it's risky > > for RMs to share GPG keys. In terms of community independence, the release > > process should not be overly reliant on joyqi. Should joyqi be unavailable > > or preoccupied, can the release process continue without interruption? > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > Hi Xuanwo, > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > contributions. For now, we are using it. > > > Regarding the signature issue you mentioned, only release manager and > > joyqi > > > know the secret GPG keys. This is to ensure that no matter what the > > problem > > > is, there is someone available to help resolve issues that arise in the > > > release. > > > > > > Best regards, > > > LinkinStar > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > > > > > >> Hi, > > >> > > >> I found those images are included in source tarball: > > >> > > >> - .vaunt/bug.png > > >> - .vaunt/enhancement.png > > >> > > >> Are they needed by users? Is it possible to remove them from the src > > >> release? > > >> > > >> Regarding PGP signatures, I'm confident that all are valid. But I found > > >> that those tarball > > >> are signed by jo...@apache.org which is not the release manager. > > >> > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have > > >> you signed those > > >> tarballs through CI with the key stored as GitHub secrets? > > >> > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > >> > Hello, > > >> > > > >> > This is a call for vote to release Apache Answer(Incubating) > > version > > >> > v1.2.1-RC1. > > >> > > > >> > The vote thread: > > >> > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > >> > > > >> > Vote Result: > > >> > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > >> > > > >> > The release candidates: > > >> > > > >> > > > >> > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > >> > > > >> > Release notes: > > >> > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > >> > > > >> > Git tag for the release: > > >> > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > >> > > > >> > Git commit id for the release: > > >> > > > >> > > > >> > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > >> > > > >> > Keys to verify the Release Candidate: > > >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > >> > > > >> > The vote will be open for at least 72 hours or until the necessary > > >> > number of votes are reached. > > >> > > > >> > Please vote accordingly: > > >> > > > >> > [ ] +1 approve > > >> > [ ] +0 no opinion > > >> > [ ] -1 disapprove with the reason > > >> > > > >> > Checklist for reference: > > >> > > > >> > [ ] Download links are valid. > > >> > [ ] Checksums and PGP signatures are valid. > > >> > [ ] Source code distributions have correct names matching the > > current > > >> > release. > > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > >> > [ ] All files have license headers if necessary. > > >> > [ ] No unlicensed compiled archives
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hi Xuanwo, Thank you very much for your suggestions. I'm very sorry, perhaps my understanding of the release signature is a little misguided. This is because we feel that there can only be one download address for KEYS, e.g. https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If there can only be one public key, then there can only be one private key. So we previously felt that all published content can always have only one private key to sign. That's why we use this mode. Because we would think that if a different person were to sign it, then the public key would change and the previous release would not be verified. For example, The A RM signed the released version 1.0.0. The B RM signed the released version 1.1.0. If B replaces the public key https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then version 1.0.0 will fail to verify it if you use the same public key. Best regards, LinkinStar On Wed, Dec 20, 2023 at 3:06 PM Xuanwo wrote: > > Regarding the signature issue you mentioned, only release manager and > joyqi > > know the secret GPG keys. This is to ensure that no matter what the > problem > > is, there is someone available to help resolve issues that arise in the > > release. > > I feel like it's better to use different gpg keys that owned by RM > themselves. > > As the community expands, we'll welcome new PPMC members and Release > Managers (RMs) from outside your company. Regarding security, it's risky > for RMs to share GPG keys. In terms of community independence, the release > process should not be overly reliant on joyqi. Should joyqi be unavailable > or preoccupied, can the release process continue without interruption? > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > Hi Xuanwo, > > > > Firstly, these files in the vaunt folder are reward badges for user > > contributions. For now, we are using it. > > Regarding the signature issue you mentioned, only release manager and > joyqi > > know the secret GPG keys. This is to ensure that no matter what the > problem > > is, there is someone available to help resolve issues that arise in the > > release. > > > > Best regards, > > LinkinStar > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > > > >> Hi, > >> > >> I found those images are included in source tarball: > >> > >> - .vaunt/bug.png > >> - .vaunt/enhancement.png > >> > >> Are they needed by users? Is it possible to remove them from the src > >> release? > >> > >> Regarding PGP signatures, I'm confident that all are valid. But I found > >> that those tarball > >> are signed by jo...@apache.org which is not the release manager. > >> > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have > >> you signed those > >> tarballs through CI with the key stored as GitHub secrets? > >> > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > >> > Hello, > >> > > >> > This is a call for vote to release Apache Answer(Incubating) > version > >> > v1.2.1-RC1. > >> > > >> > The vote thread: > >> > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > >> > > >> > Vote Result: > >> > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > >> > > >> > The release candidates: > >> > > >> > > >> > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > >> > > >> > Release notes: > >> > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > >> > > >> > Git tag for the release: > >> > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > >> > > >> > Git commit id for the release: > >> > > >> > > >> > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > >> > > >> > Keys to verify the Release Candidate: > >> > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > >> > > >> > The vote will be open for at least 72 hours or until the necessary > >> > number of votes are reached. > >> > > >> > Please vote accordingly: > >> > > >> > [ ] +1 approve > >> > [ ] +0 no opinion > >> > [ ] -1 disapprove with the reason > >> > > >> > Checklist for reference: > >> > > >> > [ ] Download links are valid. > >> > [ ] Checksums and PGP signatures are valid. > >> > [ ] Source code distributions have correct names matching the > current > >> > release. > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > >> > [ ] All files have license headers if necessary. > >> > [ ] No unlicensed compiled archives bundled in source archive. > >> > > >> > To compile from the source, please refer to: > >> > > >> > https://github.com/apache/incubator-answer#building-from-source > >> > > >> > Thanks, > >> > LinkinStar > >> > >> -- > >> Xuanwo > >> > >> - > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >> For additional commands, e-mail:
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
LinkinStar 于2023年12月20日周三 14:57写道: > > Hi Xuanwo, > > Firstly, these files in the vaunt folder are reward badges for user > contributions. For now, we are using it. > Regarding the signature issue you mentioned, only release manager and joyqi > know the secret GPG keys. This is to ensure that no matter what the problem > is, there is someone available to help resolve issues that arise in the > release. This doesn't make sense. If the private key is shared, then that key should not be used anymore. If the key isn't shared, why joyqi could sign, but doesn't call out for a vote? If you are a member of PPMC, you could add your own key(signed by your Apache ID), and sign the tar. Generally, unless there are some special cases, you should not start a vote on others' signed tars. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > > > Hi, > > > > I found those images are included in source tarball: > > > > - .vaunt/bug.png > > - .vaunt/enhancement.png > > > > Are they needed by users? Is it possible to remove them from the src > > release? > > > > Regarding PGP signatures, I'm confident that all are valid. But I found > > that those tarball > > are signed by jo...@apache.org which is not the release manager. > > > > Are you internally sharing jo...@apache.org's secret GPG keys? Or have > > you signed those > > tarballs through CI with the key stored as GitHub secrets? > > > > On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > Hello, > > > > > > This is a call for vote to release Apache Answer(Incubating) version > > > v1.2.1-RC1. > > > > > > The vote thread: > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > > > > Vote Result: > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > > > > The release candidates: > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > > > Release notes: > > > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > > > Git tag for the release: > > > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > > > Git commit id for the release: > > > > > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > > > > Keys to verify the Release Candidate: > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > > > > The vote will be open for at least 72 hours or until the necessary > > > number of votes are reached. > > > > > > Please vote accordingly: > > > > > > [ ] +1 approve > > > [ ] +0 no opinion > > > [ ] -1 disapprove with the reason > > > > > > Checklist for reference: > > > > > > [ ] Download links are valid. > > > [ ] Checksums and PGP signatures are valid. > > > [ ] Source code distributions have correct names matching the current > > > release. > > > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > > [ ] All files have license headers if necessary. > > > [ ] No unlicensed compiled archives bundled in source archive. > > > > > > To compile from the source, please refer to: > > > > > > https://github.com/apache/incubator-answer#building-from-source > > > > > > Thanks, > > > LinkinStar > > > > -- > > Xuanwo > > > > - > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
> Regarding the signature issue you mentioned, only release manager and joyqi > know the secret GPG keys. This is to ensure that no matter what the problem > is, there is someone available to help resolve issues that arise in the > release. I feel like it's better to use different gpg keys that owned by RM themselves. As the community expands, we'll welcome new PPMC members and Release Managers (RMs) from outside your company. Regarding security, it's risky for RMs to share GPG keys. In terms of community independence, the release process should not be overly reliant on joyqi. Should joyqi be unavailable or preoccupied, can the release process continue without interruption? On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > Hi Xuanwo, > > Firstly, these files in the vaunt folder are reward badges for user > contributions. For now, we are using it. > Regarding the signature issue you mentioned, only release manager and joyqi > know the secret GPG keys. This is to ensure that no matter what the problem > is, there is someone available to help resolve issues that arise in the > release. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > >> Hi, >> >> I found those images are included in source tarball: >> >> - .vaunt/bug.png >> - .vaunt/enhancement.png >> >> Are they needed by users? Is it possible to remove them from the src >> release? >> >> Regarding PGP signatures, I'm confident that all are valid. But I found >> that those tarball >> are signed by jo...@apache.org which is not the release manager. >> >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have >> you signed those >> tarballs through CI with the key stored as GitHub secrets? >> >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: >> > Hello, >> > >> > This is a call for vote to release Apache Answer(Incubating) version >> > v1.2.1-RC1. >> > >> > The vote thread: >> > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 >> > >> > Vote Result: >> > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj >> > >> > The release candidates: >> > >> > >> https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ >> > >> > Release notes: >> > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > >> > Git tag for the release: >> > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > >> > Git commit id for the release: >> > >> > >> https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef >> > >> > Keys to verify the Release Candidate: >> > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS >> > >> > The vote will be open for at least 72 hours or until the necessary >> > number of votes are reached. >> > >> > Please vote accordingly: >> > >> > [ ] +1 approve >> > [ ] +0 no opinion >> > [ ] -1 disapprove with the reason >> > >> > Checklist for reference: >> > >> > [ ] Download links are valid. >> > [ ] Checksums and PGP signatures are valid. >> > [ ] Source code distributions have correct names matching the current >> > release. >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. >> > [ ] All files have license headers if necessary. >> > [ ] No unlicensed compiled archives bundled in source archive. >> > >> > To compile from the source, please refer to: >> > >> > https://github.com/apache/incubator-answer#building-from-source >> > >> > Thanks, >> > LinkinStar >> >> -- >> Xuanwo >> >> - >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> -- Xuanwo - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hi Xuanwo, Firstly, these files in the vaunt folder are reward badges for user contributions. For now, we are using it. Regarding the signature issue you mentioned, only release manager and joyqi know the secret GPG keys. This is to ensure that no matter what the problem is, there is someone available to help resolve issues that arise in the release. Best regards, LinkinStar On Wed, Dec 20, 2023 at 2:41 PM Xuanwo wrote: > Hi, > > I found those images are included in source tarball: > > - .vaunt/bug.png > - .vaunt/enhancement.png > > Are they needed by users? Is it possible to remove them from the src > release? > > Regarding PGP signatures, I'm confident that all are valid. But I found > that those tarball > are signed by jo...@apache.org which is not the release manager. > > Are you internally sharing jo...@apache.org's secret GPG keys? Or have > you signed those > tarballs through CI with the key stored as GitHub secrets? > > On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > Hello, > > > > This is a call for vote to release Apache Answer(Incubating) version > > v1.2.1-RC1. > > > > The vote thread: > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > > Vote Result: > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > > The release candidates: > > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > Release notes: > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git tag for the release: > > > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > Git commit id for the release: > > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > > Keys to verify the Release Candidate: > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > > The vote will be open for at least 72 hours or until the necessary > > number of votes are reached. > > > > Please vote accordingly: > > > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > Checklist for reference: > > > > [ ] Download links are valid. > > [ ] Checksums and PGP signatures are valid. > > [ ] Source code distributions have correct names matching the current > > release. > > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > [ ] All files have license headers if necessary. > > [ ] No unlicensed compiled archives bundled in source archive. > > > > To compile from the source, please refer to: > > > > https://github.com/apache/incubator-answer#building-from-source > > > > Thanks, > > LinkinStar > > -- > Xuanwo > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
Re: [VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hi, I found those images are included in source tarball: - .vaunt/bug.png - .vaunt/enhancement.png Are they needed by users? Is it possible to remove them from the src release? Regarding PGP signatures, I'm confident that all are valid. But I found that those tarball are signed by jo...@apache.org which is not the release manager. Are you internally sharing jo...@apache.org's secret GPG keys? Or have you signed those tarballs through CI with the key stored as GitHub secrets? On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > Hello, > > This is a call for vote to release Apache Answer(Incubating) version > v1.2.1-RC1. > > The vote thread: > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > Vote Result: > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > The release candidates: > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > Release notes: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git tag for the release: > https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > Git commit id for the release: > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > Keys to verify the Release Candidate: > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > The vote will be open for at least 72 hours or until the necessary > number of votes are reached. > > Please vote accordingly: > > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove with the reason > > Checklist for reference: > > [ ] Download links are valid. > [ ] Checksums and PGP signatures are valid. > [ ] Source code distributions have correct names matching the current > release. > [ ] LICENSE and NOTICE files are correct for each Answer repo. > [ ] All files have license headers if necessary. > [ ] No unlicensed compiled archives bundled in source archive. > > To compile from the source, please refer to: > > https://github.com/apache/incubator-answer#building-from-source > > Thanks, > LinkinStar -- Xuanwo - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[VOTE] Release Apache Answer(Incubating) v1.2.1-RC1
Hello, This is a call for vote to release Apache Answer(Incubating) version v1.2.1-RC1. The vote thread: https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 Vote Result: https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj The release candidates: https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ Release notes: https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 Git tag for the release: https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 Git commit id for the release: https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef Keys to verify the Release Candidate: https://dist.apache.org/repos/dist/release/incubator/answer/KEYS The vote will be open for at least 72 hours or until the necessary number of votes are reached. Please vote accordingly: [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove with the reason Checklist for reference: [ ] Download links are valid. [ ] Checksums and PGP signatures are valid. [ ] Source code distributions have correct names matching the current release. [ ] LICENSE and NOTICE files are correct for each Answer repo. [ ] All files have license headers if necessary. [ ] No unlicensed compiled archives bundled in source archive. To compile from the source, please refer to: https://github.com/apache/incubator-answer#building-from-source Thanks, LinkinStar
