My +1 Ralph
> On Sep 22, 2020, at 11:21 PM, Davyd McColl <dav...@gmail.com> wrote: > > Thanks all; I've completed the release as far as I can (Ralph, please push > the relevant artifacts from > https://github.com/apache/logging-log4net/releases/tag/rel%2F2.0.11 the last > mile) and pushed the nuget package. > > -d > > On 2020/09/22 17:34:34, Matt Sicker <boa...@gmail.com> wrote: > +1 > > On Tue, Sep 22, 2020 at 04:23 Dominik Psenner wrote: > >> +1 >> >> >> >> -- >> >> Sent from my phone. Typos are a kind gift to anyone who happens to find >> >> them. >> >> >> >> On Tue, Sep 22, 2020, 08:37 Davyd McColl wrote: >> >> >> >>> Hi all >> >>> >> >>> I'd appreciate any more +1's (thanks, Remko!). I'd like to get this out >> >>> the door because it fixes confusing versioning on the released binaries >> (in >> >>> particular, nuget consumers) >> >>> >> >>> Thanks >> >>> -d >> >>> On 2020/09/20 22:33:49, Matt Sicker wrote: >> >>> I can use whatever. >> >>> >> >>> On Sun, 20 Sep 2020 at 15:26, Ralph Goers wrote: >> >>>> >> >>>> I don’t have google meet and I can’t use Skype since Microsoft hosed my >> >>> authentication. I have zoom. My company uses Amazon Chime, which is >> fairly >> >>> new, as part of our product offering. I’ve sent you both emails for a >> >>> meeting using that. >> >>>> >> >>>> Ralph >> >>>> >> >>>>> On Sep 20, 2020, at 1:01 PM, Matt Sicker wrote: >> >>>>> >> >>>>> I sent a Google Meet invite to you. >> >>>>> >> >>>>> On Sun, 20 Sep 2020 at 14:26, Davyd McColl wrote: >> >>>>>> >> >>>>>> I'm happy to be available at 8am my side, if that works for everyone >> >>> else. >> >>>>>> It sounds like earlier would be better, but I'm doing the morning >> >>> school >> >>>>>> run from 7am and can't guarantee I'll be back significantly before >> >>> 8am. >> >>>>>> >> >>>>>> How to do this? I have zoom and slack on my work machine, can >> install >> >>>>>> Skype if that's more convenient, can do google meet, I assume, >> though >> >>>>>> haven't ever tried, so may need a bit of a crash intro. >> >>>>>> >> >>>>>> If posting meeting details to the mailing list is not on, feel free >> to >> >>>>>> email me directly (: >> >>>>>> >> >>>>>> -d >> >>>>>> >> >>>>>> >> >>>>>> On September 20, 2020 20:58:29 Ralph Goers wrote: >> >>>>>> >> >>>>>>> 8am in Durban South Africa is 11pm the night before in Phoenix AZ. >> >>>>>>> However, I frequently am up until midnight so that could work. >> >>> 5-5:30 pm is >> >>>>>>> 7:30-8 am in Phoenix. I usually am not in front of my computer on a >> >>> weekday >> >>>>>>> until 8 am but on occasion I can do earlier. >> >>>>>>> >> >>>>>>> Ralph >> >>>>>>> >> >>>>>>>> On Sep 20, 2020, at 9:46 AM, Davyd McColl wrote: >> >>>>>>>> >> >>>>>>>> Any time 08h00 - 17h30 utc+2, except 13h00-14h00 (that's when I >> >>> fetch my >> >>>>>>>> son from school) >> >>>>>>>> >> >>>>>>>> -d >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> On September 20, 2020 18:44:19 Matt Sicker wrote: >> >>>>>>>> >> >>>>>>>>> We’re not quite as strict as Debian for keys (though if you can >> >>> find a >> >>>>>>>>> Debian group locally, they’re great for key signing). The video >> >>> call idea >> >>>>>>>>> could work for exchanging keys. What times would you be available >> >>> to do >> >>>>>>>>> that? >> >>>>>>>>> >> >>>>>>>>> On Sun, Sep 20, 2020 at 03:09 Davyd McColl wrote: >> >>>>>>>>> >> >>>>>>>>>> Hi Ralph >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> I think I miscommunicated: I'm not regenerating my signing key - >> >>> just the >> >>>>>>>>>> >> >>>>>>>>>> nuget API key for package upload. This forces me to log in in >> >>> nuget.org >> >>>>>>>>>> >> >>>>>>>>>> which has 2fa and then I only use that key on the cli for the >> >>> immediate >> >>>>>>>>>> upload. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> My gpg key as at https://GitHub.com/fluffynuts.gpg is the same >> >>> that I >> >>>>>>>>>> used >> >>>>>>>>>> >> >>>>>>>>>> last time. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> -d >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> On September 20, 2020 09:01:36 Ralph Goers >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>> In the long run you don’t want to be regenerating your signing >> >>> key for >> >>>>>>>>>> >> >>>>>>>>>>> every release. The point is that you would upload the key to a >> >>> central >> >>>>>>>>>> >> >>>>>>>>>>> keystore and other people would sign it there. At ApacheCon we >> >>> would >> >>>>>>>>>> have a >> >>>>>>>>>> >> >>>>>>>>>>> key signing “party” where we recorded each others keys and then >> >>> would >> >>>>>>>>>> take >> >>>>>>>>>> >> >>>>>>>>>>> our list and update the central keystore. When people verify >> the >> >>> key >> >>>>>>>>>> they >> >>>>>>>>>> >> >>>>>>>>>>> can look at the keystore and see that it is signed by a number >> of >> >>>>>>>>>> people, >> >>>>>>>>>> >> >>>>>>>>>>> who then have their keys by a number of people and so on so you >> >>> are >> >>>>>>>>>> >> >>>>>>>>>>> building a web of trust. Sooner or later there will be someone >> >>> in that >> >>>>>>>>>> web >> >>>>>>>>>> >> >>>>>>>>>>> that you personally know and trust. >> >>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>> Ralph >> >>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> On Sep 19, 2020, at 11:26 PM, Davyd McColl wrote: >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> Thanks Matt, I've updated the artifacts on GitHub to have >> >>> detached >> >>>>>>>>>> >> >>>>>>>>>>>> signatures. I had previously also uploaded my key to >> >>> sks-keyservers.net, >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> but I've also uploaded to MIT, though search there always >> times >> >>> out. >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> The document you've linked mentions face-to-face interactions >> >>> to get my >> >>>>>>>>>> key >> >>>>>>>>>> >> >>>>>>>>>>>> into the official KEYS file. Not sure how many apache people >> >>> are at my >> >>>>>>>>>> end >> >>>>>>>>>> >> >>>>>>>>>>>> of the world (Durban, South Africa), but I can do an online >> >>> meeting if >> >>>>>>>>>> that >> >>>>>>>>>> >> >>>>>>>>>>>> helps. Last release, Ralph said I should sign, so I did. I'm >> >>> new to >> >>>>>>>>>> signing >> >>>>>>>>>> >> >>>>>>>>>>>> release artifacts - I've generally relied on authentication >> >>> during >> >>>>>>>>>> upload >> >>>>>>>>>> >> >>>>>>>>>>>> as verification of authenticity, with 2FA wherever possible >> >>> (GitHub and >> >>>>>>>>>> >> >>>>>>>>>>>> NPM; nuget survives with an apikey - but for the last 2 >> >>> releases, I've >> >>>>>>>>>> >> >>>>>>>>>>>> regenerated the key on each use and only supplied it on the >> cli >> >>> at >> >>>>>>>>>> upload, >> >>>>>>>>>> >> >>>>>>>>>>>> so as not to store it locally) >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> -d >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>> On September 19, 2020 22:23:41 Matt Sicker wrote: >> >>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> Oh and there's a bit of an issue with the signed files: it >> >>> looks like >> >>>>>>>>>> >> >>>>>>>>>>>>> you included _signed files_ rather than detached signatures. >> >>> Thus, the >> >>>>>>>>>> >> >>>>>>>>>>>>> .asc files are only verifying themselves rather than the >> >>> accompanying >> >>>>>>>>>> >> >>>>>>>>>>>>> file. >> >>>>>>>>>> >> >>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> There's a --detached option in gpg for this (yeah, it's >> always >> >>> had a >> >>>>>>>>>> bad UI). >> >>>>>>>>>> >> >>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> The KEYS file [1] that's linked on the download page does >> not >> >>> have >> >>>>>>>>>> >> >>>>>>>>>>>>>> your key in it. Neither does other KEYS file [2]. Check out >> >>> [3] for >> >>>>>>>>>> >> >>>>>>>>>>>>>> more info. >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> [1]: https://downloads.apache.org/logging/log4net/KEYS >> >>>>>>>>>> >> >>>>>>>>>>>>>> [2]: https://downloads.apache.org/logging/KEYS >> >>>>>>>>>> >> >>>>>>>>>>>>>> [3]: >> >>> https://infra.apache.org/release-signing.html#keys-policy >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>> Thanks Matt, I've done so. Hopefully that makes it easier >> to >> >>> verify >> >>>>>>>>>> >> >>>>>>>>>>>>>>> artifacts that I have signed. >> >>>>>>>>>> >> >>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>> -d >> >>>>>>>>>> >> >>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>> On September 18, 2020 23:11:48 Matt Sicker >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> If you upload your key to your GitHub profile, that also >> >>> makes it >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> simple to find. For example, just add ".gpg" to your >> >>> profile URL: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> https://github.com/fluffynuts.gpg >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 16:08, Remko Popma >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>> +1 remko >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> How about your gpg key? I don't think we've imported >> that >> >>> to >> >>>>>>>>>> the KEYS >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> file as far as I can tell? >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 15:53, Matt Sicker >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> Oh sorry, I didn't notice that you uploaded them there >> >>>>>>>>>> (wasn't even >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> aware that it was possible to be honest). >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 14:43, Davyd McColl >> >>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> Hi Matt >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> Release artifacts are available on the GitHub release >> >>> page >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> (https://GitHub.com/Apache/logging-log4net/releases) >> - >> >>>>>>>>>> expand the >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> assets >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> list if it's collapsed. >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> I'll need someone to upload them to the downloads >> source >> >>>>>>>>>> as I >> >>>>>>>>>> >> >>>>>>>>>>>>>> think I >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> don't >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> have access to do so (if I'm wrong, I'd love to be >> >>>>>>>>>> corrected, >> >>>>>>>>>> >> >>>>>>>>>>>>>> because >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> I'd >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> be less of an annoyance then!). Ralph has stepped in >> to >> >>>>>>>>>> help here in >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> the past. >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> -d >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> On September 18, 2020 20:09:07 Matt Sicker < >> >>>>>>>>>> boa...@gmail.com> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> Do you have links to the release artifacts? The >> >>> download >> >>>>>>>>>> page >> >>>>>>>>>> >> >>>>>>>>>>>>>> links >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> to >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> the live site which doesn't have the artifacts yet >> >>> since >> >>>>>>>>>> >> >>>>>>>>>>>>>> they're not >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> released yet. :) >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> On Fri, 18 Sep 2020 at 09:05, Davyd McColl >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> wrote: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> Hi all >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> I have another potential release available: 2.0.11, >> >>>>>>>>>> tagged as >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> rc/2.0.11 >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> Changes are really minor: >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> - fixed assembly versioning (all assemblies should >> >>>>>>>>>> report >> >>>>>>>>>> >> >>>>>>>>>>>>>> 2.0.11.0 >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> as their >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> version now) >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> - properly dispose of StreamWriters within logging >> >>>>>>>>>> appenders >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> (thanks to >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> @NicholasNoise) >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> Binaries are up at >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>> https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> and I've >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> pushed to asf-staging for logging, now up at >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> https://logging.staged.apache.org/log4net/download_log4net.html >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> Thanks >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>>> -d >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>>>>> Matt Sicker >> >>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> -- >> >>>>>>>>> Matt Sicker >> >>>>>>> >> >>>>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> -- >> >>>>> Matt Sicker >> >>>>> >> >>>> >> >>>> >> >>> >> >>> >> >>> -- >> >>> Matt Sicker >> >>> >> >> -- > Matt Sicker
