Hello Sheng Wu, Yes, I misunderstood. I thought KEYS can only contain one public key, no other public keys are allowed to exist at the same time. That's why I was forced to do this signature. It helped me solve a real problem. Thanks a lot.
Best regards, LinkinStar On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu <wu.sheng.841...@gmail.com> wrote: > KEYS is a very for all existing public keys. Not for a specific > individual. Are you misunderstanding this? > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:31写道: > > > > Hi Xuanwo, > > > > Thank you very much for your suggestions. I'm very sorry, perhaps my > > understanding of the release signature is a little misguided. This is > > because we feel that there can only be one download address for KEYS, > e.g. > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If > there > > can only be one public key, then there can only be one private key. So we > > previously felt that all published content can always have only one > private > > key to sign. That's why we use this mode. Because we would think that if > a > > different person were to sign it, then the public key would change and > the > > previous release would not be verified. For example, The A RM signed the > > released version 1.0.0. The B RM signed the released version 1.1.0. If B > > replaces the public key > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > > version 1.0.0 will fail to verify it if you use the same public key. > > > > Best regards, > > LinkinStar > > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo <xua...@apache.org> wrote: > > > > > > Regarding the signature issue you mentioned, only release manager and > > > joyqi > > > > know the secret GPG keys. This is to ensure that no matter what the > > > problem > > > > is, there is someone available to help resolve issues that arise in > the > > > > release. > > > > > > I feel like it's better to use different gpg keys that owned by RM > > > themselves. > > > > > > As the community expands, we'll welcome new PPMC members and Release > > > Managers (RMs) from outside your company. Regarding security, it's > risky > > > for RMs to share GPG keys. In terms of community independence, the > release > > > process should not be overly reliant on joyqi. Should joyqi be > unavailable > > > or preoccupied, can the release process continue without interruption? > > > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > > Hi Xuanwo, > > > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > > contributions. For now, we are using it. > > > > Regarding the signature issue you mentioned, only release manager and > > > joyqi > > > > know the secret GPG keys. This is to ensure that no matter what the > > > problem > > > > is, there is someone available to help resolve issues that arise in > the > > > > release. > > > > > > > > Best regards, > > > > LinkinStar > > > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> wrote: > > > > > > > >> Hi, > > > >> > > > >> I found those images are included in source tarball: > > > >> > > > >> - .vaunt/bug.png > > > >> - .vaunt/enhancement.png > > > >> > > > >> Are they needed by users? Is it possible to remove them from the src > > > >> release? > > > >> > > > >> Regarding PGP signatures, I'm confident that all are valid. But I > found > > > >> that those tarball > > > >> are signed by jo...@apache.org which is not the release manager. > > > >> > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or > have > > > >> you signed those > > > >> tarballs through CI with the key stored as GitHub secrets? > > > >> > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > >> > Hello, > > > >> > > > > >> > This is a call for vote to release Apache Answer(Incubating) > > > version > > > >> > v1.2.1-RC1. > > > >> > > > > >> > The vote thread: > > > >> > > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > >> > > > > >> > Vote Result: > > > >> > > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > >> > > > > >> > The release candidates: > > > >> > > > > >> > > > > >> > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > >> > > > > >> > Release notes: > > > >> > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > >> > > > > >> > Git tag for the release: > > > >> > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > >> > > > > >> > Git commit id for the release: > > > >> > > > > >> > > > > >> > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > >> > > > > >> > Keys to verify the Release Candidate: > > > >> > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > >> > > > > >> > The vote will be open for at least 72 hours or until the > necessary > > > >> > number of votes are reached. > > > >> > > > > >> > Please vote accordingly: > > > >> > > > > >> > [ ] +1 approve > > > >> > [ ] +0 no opinion > > > >> > [ ] -1 disapprove with the reason > > > >> > > > > >> > Checklist for reference: > > > >> > > > > >> > [ ] Download links are valid. > > > >> > [ ] Checksums and PGP signatures are valid. > > > >> > [ ] Source code distributions have correct names matching the > > > current > > > >> > release. > > > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > > >> > [ ] All files have license headers if necessary. > > > >> > [ ] No unlicensed compiled archives bundled in source archive. > > > >> > > > > >> > To compile from the source, please refer to: > > > >> > > > > >> > > https://github.com/apache/incubator-answer#building-from-source > > > >> > > > > >> > Thanks, > > > >> > LinkinStar > > > >> > > > >> -- > > > >> Xuanwo > > > >> > > > >> > --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > >> For additional commands, e-mail: general-h...@incubator.apache.org > > > >> > > > >> > > > > > > -- > > > Xuanwo > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
