Hello Julian, Yes, the artifacts are now automatically published and signed on the dev environment. The certificate was issued by the INFRA Team, and we received clearance from the security teams. From what I understand, this process is permitted in dev but not in dist, where artifacts must be signed manually. As a result, for the vote on automatically signed artifacts to be valid, the builds need to be reproducible. We have addressed this issue and should be able to sign the final artifacts without requiring an additional build. This is our first attempt with this release process, so I hope everything will work fine. Here is the discussion.
https://issues.apache.org/jira/browse/INFRA-25610 Best regards, Bertil > On 15 Nov 2024, at 00:52, Julian Hyde <jhyde.apa...@gmail.com> wrote: > > +1 jhyde (IPMC member) > > Downloaded, checked hashes and signatures, README, NOTICE, DISCLAIMER, > compiled and ran tests on Ubuntu Linux using maven-3.8.1 and JDK 21. Ran > apache-rat. > > I notice the artifacts are signed using key “priv...@baremaps.apache.org > <mailto:priv...@baremaps.apahe.org>”, not a person. Is this an acceptable > practice? > > Julian > > > >> On Nov 14, 2024, at 12:41 PM, Sébastien Riollet >> <sebastien.riol...@camptocamp.com> wrote: >> >> +1 >> >>> Hello Everyone, >>> >>> I have created a build for Apache Baremaps (incubating) 0.8.1, release >>> candidate 2. In addition to the previous changes, I included the DISCLAIMER >>> file and revised the baremaps-cli/src/license/override.properties file. >>> >>> You can read the release notes here: >>> https://github.com/apache/incubator-baremaps/releases/tag/v0.8.1-rc2 >>> >>> The commit to be voted upon: >>> https://github.com/apache/incubator-baremaps/tree/v0.8.1-rc2 >>> >>> Its tag is v0.8.1-rc2 and its hash is >>> 861a5997c0bc5208142173df4725e6e1b18226d3. >>> >>> The artifacts to be voted on are located here: >>> https://dist.apache.org/repos/dist/dev/incubator/baremaps/0.8.1-rc2/ >>> >>> The hashes of the artifacts are as follows: >>> 4f3402b16b51598ea2cea7c5343ddf77cf22049314d0a94f7946ed0d8d1698b3792b0fce1e5de55bb5cc1564187904f98634dd00ea21871eb579b0488a3507fc >>> ./apache-baremaps-0.8.1-rc2-incubating-src.tar.gz >>> 637953064f83af7d37099d2b2c73c3aa06ef3f74c06f464093fc205a5fc0812682ea16c4a5c8762c107bfacc286424fd5ca53e4f62c7a96fb1686de05d44910d >>> ./apache-baremaps-0.8.1-rc2-incubating-bin.tar.gz >>> >>> Release candidate artifacts are signed automatically with the key >>> (C81AC42AF2A7CACDF4C8A4F6936E280DF16599CB) created by the INFRA team: >>> https://downloads.apache.org/incubator/baremaps/KEYS >>> >>> The README file for the src distribution contains instructions for >>> building and testing the release. >>> >>> Please vote on releasing this package as Apache Baremaps 0.8.1. >>> >>> The vote is open for 72 hours starting on Monday. It passes if a majority >>> of at least three +1 PMC votes are cast. >>> [ ] +1 Release this package as Apache Baremaps 0.8.1 >>> [ ] 0 I don't feel strongly about it, but I'm okay with the release >>> [ ] -1 Do not release this package because... >>> >>> Here is my vote: >>> +1 (non-binding): checked the presence of the LICENSE, NOTICE, and >>> DISCLAIMER files in src and bin; built from source; executed the binary >>> distribution; checked the checksums; checked the signatures. >>> >>> Best regards, >>> >>> Bertil >>> >>> >>> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
