> Regarding the signature issue you mentioned, only release manager and joyqi > know the secret GPG keys. This is to ensure that no matter what the problem > is, there is someone available to help resolve issues that arise in the > release.
I feel like it's better to use different gpg keys that owned by RM themselves. As the community expands, we'll welcome new PPMC members and Release Managers (RMs) from outside your company. Regarding security, it's risky for RMs to share GPG keys. In terms of community independence, the release process should not be overly reliant on joyqi. Should joyqi be unavailable or preoccupied, can the release process continue without interruption? On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > Hi Xuanwo, > > Firstly, these files in the vaunt folder are reward badges for user > contributions. For now, we are using it. > Regarding the signature issue you mentioned, only release manager and joyqi > know the secret GPG keys. This is to ensure that no matter what the problem > is, there is someone available to help resolve issues that arise in the > release. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> wrote: > >> Hi, >> >> I found those images are included in source tarball: >> >> - .vaunt/bug.png >> - .vaunt/enhancement.png >> >> Are they needed by users? Is it possible to remove them from the src >> release? >> >> Regarding PGP signatures, I'm confident that all are valid. But I found >> that those tarball >> are signed by jo...@apache.org which is not the release manager. >> >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have >> you signed those >> tarballs through CI with the key stored as GitHub secrets? >> >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: >> > Hello, >> > >> > This is a call for vote to release Apache Answer(Incubating) version >> > v1.2.1-RC1. >> > >> > The vote thread: >> > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 >> > >> > Vote Result: >> > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj >> > >> > The release candidates: >> > >> > >> https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ >> > >> > Release notes: >> > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > >> > Git tag for the release: >> > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > >> > Git commit id for the release: >> > >> > >> https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef >> > >> > Keys to verify the Release Candidate: >> > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS >> > >> > The vote will be open for at least 72 hours or until the necessary >> > number of votes are reached. >> > >> > Please vote accordingly: >> > >> > [ ] +1 approve >> > [ ] +0 no opinion >> > [ ] -1 disapprove with the reason >> > >> > Checklist for reference: >> > >> > [ ] Download links are valid. >> > [ ] Checksums and PGP signatures are valid. >> > [ ] Source code distributions have correct names matching the current >> > release. >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. >> > [ ] All files have license headers if necessary. >> > [ ] No unlicensed compiled archives bundled in source archive. >> > >> > To compile from the source, please refer to: >> > >> > https://github.com/apache/incubator-answer#building-from-source >> > >> > Thanks, >> > LinkinStar >> >> -- >> Xuanwo >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> -- Xuanwo --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
