Glad to help. Suggest canceling this vote, and enhancing your release process doc, then, start a new one with a correct signature from the release manager. Notice, don't remove anyone's KEY from KEYS, ever, even it is expired. People may need them to verify your legacy releases in the future.
Sheng Wu 吴晟 Twitter, wusheng1108 LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:53写道: > > Hello Sheng Wu, > > Yes, I misunderstood. I thought KEYS can only contain one public key, no > other public keys are allowed to exist at the same time. That's why I was > forced to do this signature. It helped me solve a real problem. Thanks a > lot. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu <wu.sheng.841...@gmail.com> wrote: > > > KEYS is a very for all existing public keys. Not for a specific > > individual. Are you misunderstanding this? > > > > Sheng Wu 吴晟 > > Twitter, wusheng1108 > > > > LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:31写道: > > > > > > Hi Xuanwo, > > > > > > Thank you very much for your suggestions. I'm very sorry, perhaps my > > > understanding of the release signature is a little misguided. This is > > > because we feel that there can only be one download address for KEYS, > > e.g. > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If > > there > > > can only be one public key, then there can only be one private key. So we > > > previously felt that all published content can always have only one > > private > > > key to sign. That's why we use this mode. Because we would think that if > > a > > > different person were to sign it, then the public key would change and > > the > > > previous release would not be verified. For example, The A RM signed the > > > released version 1.0.0. The B RM signed the released version 1.1.0. If B > > > replaces the public key > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > > > version 1.0.0 will fail to verify it if you use the same public key. > > > > > > Best regards, > > > LinkinStar > > > > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo <xua...@apache.org> wrote: > > > > > > > > Regarding the signature issue you mentioned, only release manager and > > > > joyqi > > > > > know the secret GPG keys. This is to ensure that no matter what the > > > > problem > > > > > is, there is someone available to help resolve issues that arise in > > the > > > > > release. > > > > > > > > I feel like it's better to use different gpg keys that owned by RM > > > > themselves. > > > > > > > > As the community expands, we'll welcome new PPMC members and Release > > > > Managers (RMs) from outside your company. Regarding security, it's > > risky > > > > for RMs to share GPG keys. In terms of community independence, the > > release > > > > process should not be overly reliant on joyqi. Should joyqi be > > unavailable > > > > or preoccupied, can the release process continue without interruption? > > > > > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > > > Hi Xuanwo, > > > > > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > > > contributions. For now, we are using it. > > > > > Regarding the signature issue you mentioned, only release manager and > > > > joyqi > > > > > know the secret GPG keys. This is to ensure that no matter what the > > > > problem > > > > > is, there is someone available to help resolve issues that arise in > > the > > > > > release. > > > > > > > > > > Best regards, > > > > > LinkinStar > > > > > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> I found those images are included in source tarball: > > > > >> > > > > >> - .vaunt/bug.png > > > > >> - .vaunt/enhancement.png > > > > >> > > > > >> Are they needed by users? Is it possible to remove them from the src > > > > >> release? > > > > >> > > > > >> Regarding PGP signatures, I'm confident that all are valid. But I > > found > > > > >> that those tarball > > > > >> are signed by jo...@apache.org which is not the release manager. > > > > >> > > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or > > have > > > > >> you signed those > > > > >> tarballs through CI with the key stored as GitHub secrets? > > > > >> > > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > > > >> > Hello, > > > > >> > > > > > >> > This is a call for vote to release Apache Answer(Incubating) > > > > version > > > > >> > v1.2.1-RC1. > > > > >> > > > > > >> > The vote thread: > > > > >> > > > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > > > >> > > > > > >> > Vote Result: > > > > >> > > > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > > > >> > > > > > >> > The release candidates: > > > > >> > > > > > >> > > > > > >> > > > > > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > > > >> > > > > > >> > Release notes: > > > > >> > > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > >> > > > > > >> > Git tag for the release: > > > > >> > > > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > > > >> > > > > > >> > Git commit id for the release: > > > > >> > > > > > >> > > > > > >> > > > > > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > > > >> > > > > > >> > Keys to verify the Release Candidate: > > > > >> > > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > > > >> > > > > > >> > The vote will be open for at least 72 hours or until the > > necessary > > > > >> > number of votes are reached. > > > > >> > > > > > >> > Please vote accordingly: > > > > >> > > > > > >> > [ ] +1 approve > > > > >> > [ ] +0 no opinion > > > > >> > [ ] -1 disapprove with the reason > > > > >> > > > > > >> > Checklist for reference: > > > > >> > > > > > >> > [ ] Download links are valid. > > > > >> > [ ] Checksums and PGP signatures are valid. > > > > >> > [ ] Source code distributions have correct names matching the > > > > current > > > > >> > release. > > > > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > > > >> > [ ] All files have license headers if necessary. > > > > >> > [ ] No unlicensed compiled archives bundled in source archive. > > > > >> > > > > > >> > To compile from the source, please refer to: > > > > >> > > > > > >> > > > https://github.com/apache/incubator-answer#building-from-source > > > > >> > > > > > >> > Thanks, > > > > >> > LinkinStar > > > > >> > > > > >> -- > > > > >> Xuanwo > > > > >> > > > > >> > > --------------------------------------------------------------------- > > > > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > > >> For additional commands, e-mail: general-h...@incubator.apache.org > > > > >> > > > > >> > > > > > > > > -- > > > > Xuanwo > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
