Got it.
+1 binding
Checked
1. Incubating in names
2. Compiling pass.
3. GPG checked
4. sha512 exist
5. LICENSE and NOTICE exist.
Good luck and glad to see the stable release will be available soon
Sheng Wu 吴晟
Twitter, wusheng1108
zhangli...@apache.org 于2020年1月2日周四 下午12:38写道:
> Sorry, I can
Sorry, I can not find the old secret key, so we can not reuse the old
public key for now.
The only way is use the current key to check the gpg signature. Please
reimport the `KEYS` file to validate the signature for now.
It is unnecessary to re-release version. How about continue to vote on this
Thanks for your explanation, Willem.
Let me make it clear, my concern is that a public key ever signed for one
release, and now this key is compromised, and although this key is in KEYS
file, it could not work well.
Therefore we could not use it for verify the integrity of old release in [1]
No, I don't think using the KEYS file can keep good track of the
public key, it doesn't support the revoke operation.
It's better to use the public Key server to host the public key and we
can know if the key is revoked or not.
Willem Jiang
Twitter: willemjiang
Weibo: 姜宁willem
On Thu, Jan 2,
That means once one key was used for one release, it could not be deleted from
KEYS files anymore no matter it is great on or not, right?
Juan Pan (Trista)
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panj...@apache.org
On 01/2/2020 12:00,Willem
Sure, 2 same usernames will make the checker confuse.
I prefer to re-release again for round 3 and just make sure one release
manager only have a single gpg signature.
--
Liang Zhang (John)
Apache ShardingSphere & Dubbo
Juan Pan 于2020年1月2日周四 上午11:12写道:
> Very appreciated
If the private key is compromised[1] or if we cannot find the private
key, we should revoke the public KEY[2].
Please keep your private key in a safe place.
[1]https://www.thesslstore.com/blog/heres-what-happens-when-your-private-key-gets-compromised/
Very appreciated Sheng, make sense.
Juan Pan (Trista)
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail: panj...@apache.org
On 01/2/2020 11:09,Sheng Wu wrote:
Yes, because the verification is introduced on the official website,
download page, right? If
Yes, because the verification is introduced on the official website,
download page, right? If we delete it, users will fail when we do the
verification.
Sheng Wu 吴晟
Twitter, wusheng1108
Juan Pan 于2020年1月2日周四 上午11:03写道:
> Hi Sheng,
>
>
> Thanks for your correction.
> Just confirm, the key
Hi Sheng,
Thanks for your correction.
Just confirm, the key point is that the old key for 4.0.0-RC1 release which
passed the release vote but exists in our release list now could not be
deleted, right? In other words, only one certain release exists, the key used
for which must exist?
You can't simply delete the old one. Because ShardingSphere has existing
release based on that KEY :)
We could still continue in this way, but it should not be recommended if
your old key is still available.
Sheng Wu 吴晟
Twitter, wusheng1108
Juan Pan 于2020年1月2日周四 上午10:18写道:
> Hi Liang,
>
>
>
Hi Liang,
If you plan not to use the old one any more, deleting is is an alternative to
avoid confusion. If so, it is necessary to delete it in KEYS file and public
key servers, IMO.
Juan Pan (Trista)
Senior DBA & PPMC of Apache ShardingSphere(Incubating)
E-mail:
> A question, why you have two pgp keys in the KEYS file?
I change a computer, the 1st one is for the 4.0.0-RC1, the 4th one is for
this version.
Do you think we could remove the 1st one? because I will never use that gpp
key again, but do we need to keep it to make the 4.0.0-RC1 can be validate?
Hi Liang Zhang
A question, why you have two pgp keys in the KEYS file?
Sheng Wu 吴晟
Twitter, wusheng1108
zhangli...@apache.org 于2019年12月30日周一 下午9:44写道:
> Hello ShardingSphere Community,
>
> This is a call for vote to release Apache ShardingSphere (Incubating)
> version 4.0.0
>
> Release
14 matches
Mail list logo
