> Your suggestion is great, thanks again for your help and Xuanwo. I'm happy to help you. Looking forward to your next VOTE.
On Wed, Dec 20, 2023, at 16:35, LinkinStar wrote: > Hello Sheng Wu, > > Your suggestion is great, thanks again for your help and Xuanwo. We're > already in the process of fixing the release process documentation and I > will cancel this vote. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 4:26 PM Sheng Wu <wu.sheng.841...@gmail.com> wrote: > >> Glad to help. >> Suggest canceling this vote, and enhancing your release process doc, >> then, start a new one with a correct signature from the release >> manager. >> Notice, don't remove anyone's KEY from KEYS, ever, even it is expired. >> People may need them to verify your legacy releases in the future. >> >> Sheng Wu 吴晟 >> Twitter, wusheng1108 >> >> LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:53写道: >> > >> > Hello Sheng Wu, >> > >> > Yes, I misunderstood. I thought KEYS can only contain one public key, no >> > other public keys are allowed to exist at the same time. That's why I was >> > forced to do this signature. It helped me solve a real problem. Thanks a >> > lot. >> > >> > Best regards, >> > LinkinStar >> > >> > On Wed, Dec 20, 2023 at 3:45 PM Sheng Wu <wu.sheng.841...@gmail.com> >> wrote: >> > >> > > KEYS is a very for all existing public keys. Not for a specific >> > > individual. Are you misunderstanding this? >> > > >> > > Sheng Wu 吴晟 >> > > Twitter, wusheng1108 >> > > >> > > LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:31写道: >> > > > >> > > > Hi Xuanwo, >> > > > >> > > > Thank you very much for your suggestions. I'm very sorry, perhaps my >> > > > understanding of the release signature is a little misguided. This is >> > > > because we feel that there can only be one download address for KEYS, >> > > e.g. >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If >> > > there >> > > > can only be one public key, then there can only be one private key. >> So we >> > > > previously felt that all published content can always have only one >> > > private >> > > > key to sign. That's why we use this mode. Because we would think >> that if >> > > a >> > > > different person were to sign it, then the public key would change >> and >> > > the >> > > > previous release would not be verified. For example, The A RM signed >> the >> > > > released version 1.0.0. The B RM signed the released version 1.1.0. >> If B >> > > > replaces the public key >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, >> then >> > > > version 1.0.0 will fail to verify it if you use the same public key. >> > > > >> > > > Best regards, >> > > > LinkinStar >> > > > >> > > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo <xua...@apache.org> wrote: >> > > > >> > > > > > Regarding the signature issue you mentioned, only release >> manager and >> > > > > joyqi >> > > > > > know the secret GPG keys. This is to ensure that no matter what >> the >> > > > > problem >> > > > > > is, there is someone available to help resolve issues that arise >> in >> > > the >> > > > > > release. >> > > > > >> > > > > I feel like it's better to use different gpg keys that owned by RM >> > > > > themselves. >> > > > > >> > > > > As the community expands, we'll welcome new PPMC members and >> Release >> > > > > Managers (RMs) from outside your company. Regarding security, it's >> > > risky >> > > > > for RMs to share GPG keys. In terms of community independence, the >> > > release >> > > > > process should not be overly reliant on joyqi. Should joyqi be >> > > unavailable >> > > > > or preoccupied, can the release process continue without >> interruption? >> > > > > >> > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: >> > > > > > Hi Xuanwo, >> > > > > > >> > > > > > Firstly, these files in the vaunt folder are reward badges for >> user >> > > > > > contributions. For now, we are using it. >> > > > > > Regarding the signature issue you mentioned, only release >> manager and >> > > > > joyqi >> > > > > > know the secret GPG keys. This is to ensure that no matter what >> the >> > > > > problem >> > > > > > is, there is someone available to help resolve issues that arise >> in >> > > the >> > > > > > release. >> > > > > > >> > > > > > Best regards, >> > > > > > LinkinStar >> > > > > > >> > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> >> wrote: >> > > > > > >> > > > > >> Hi, >> > > > > >> >> > > > > >> I found those images are included in source tarball: >> > > > > >> >> > > > > >> - .vaunt/bug.png >> > > > > >> - .vaunt/enhancement.png >> > > > > >> >> > > > > >> Are they needed by users? Is it possible to remove them from >> the src >> > > > > >> release? >> > > > > >> >> > > > > >> Regarding PGP signatures, I'm confident that all are valid. But >> I >> > > found >> > > > > >> that those tarball >> > > > > >> are signed by jo...@apache.org which is not the release >> manager. >> > > > > >> >> > > > > >> Are you internally sharing jo...@apache.org's secret GPG keys? >> Or >> > > have >> > > > > >> you signed those >> > > > > >> tarballs through CI with the key stored as GitHub secrets? >> > > > > >> >> > > > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: >> > > > > >> > Hello, >> > > > > >> > >> > > > > >> > This is a call for vote to release Apache >> Answer(Incubating) >> > > > > version >> > > > > >> > v1.2.1-RC1. >> > > > > >> > >> > > > > >> > The vote thread: >> > > > > >> > >> > > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 >> > > > > >> > >> > > > > >> > Vote Result: >> > > > > >> > >> > > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj >> > > > > >> > >> > > > > >> > The release candidates: >> > > > > >> > >> > > > > >> > >> > > > > >> >> > > > > >> > > >> https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ >> > > > > >> > >> > > > > >> > Release notes: >> > > > > >> > >> > > > > >> >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > > > > >> > >> > > > > >> > Git tag for the release: >> > > > > >> > >> > > > > >> >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 >> > > > > >> > >> > > > > >> > Git commit id for the release: >> > > > > >> > >> > > > > >> > >> > > > > >> >> > > > > >> > > >> https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef >> > > > > >> > >> > > > > >> > Keys to verify the Release Candidate: >> > > > > >> > >> > > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS >> > > > > >> > >> > > > > >> > The vote will be open for at least 72 hours or until the >> > > necessary >> > > > > >> > number of votes are reached. >> > > > > >> > >> > > > > >> > Please vote accordingly: >> > > > > >> > >> > > > > >> > [ ] +1 approve >> > > > > >> > [ ] +0 no opinion >> > > > > >> > [ ] -1 disapprove with the reason >> > > > > >> > >> > > > > >> > Checklist for reference: >> > > > > >> > >> > > > > >> > [ ] Download links are valid. >> > > > > >> > [ ] Checksums and PGP signatures are valid. >> > > > > >> > [ ] Source code distributions have correct names matching >> the >> > > > > current >> > > > > >> > release. >> > > > > >> > [ ] LICENSE and NOTICE files are correct for each Answer >> repo. >> > > > > >> > [ ] All files have license headers if necessary. >> > > > > >> > [ ] No unlicensed compiled archives bundled in source >> archive. >> > > > > >> > >> > > > > >> > To compile from the source, please refer to: >> > > > > >> > >> > > > > >> > >> > > https://github.com/apache/incubator-answer#building-from-source >> > > > > >> > >> > > > > >> > Thanks, >> > > > > >> > LinkinStar >> > > > > >> >> > > > > >> -- >> > > > > >> Xuanwo >> > > > > >> >> > > > > >> >> > > --------------------------------------------------------------------- >> > > > > >> To unsubscribe, e-mail: >> general-unsubscr...@incubator.apache.org >> > > > > >> For additional commands, e-mail: >> general-h...@incubator.apache.org >> > > > > >> >> > > > > >> >> > > > > >> > > > > -- >> > > > > Xuanwo >> > > > > >> > > > > >> --------------------------------------------------------------------- >> > > > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> > > > > For additional commands, e-mail: general-h...@incubator.apache.org >> > > > > >> > > > > >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> > > For additional commands, e-mail: general-h...@incubator.apache.org >> > > >> > > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> -- Xuanwo --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
