Hi Cos, > Which tells me that the private key is simply shared by a number of the > committers. And there's no guarantee that it hasn't been leaked outside of > the group. And that's pretty serious security flaw, actually.
That’s not the case. Sam signed and did final technical steps preparing the RC3. I took care of other formalities. Personally, did expect this to be an issue. Agree, let’s fix the process making sure the release manager signs bundles all the times. > - why every other RC Vote is started by a different person? Summer time, vacations, day offs… — Denis > On Jul 22, 2017, at 1:26 PM, Konstantin Boudnik <c...@apache.org> wrote: > > Retracting this, found the KEYS (douh...). Still > > -1 (binding). The release isn't signed by the release manager. Someone else > key is used. > > - Checked the sha1 > - Successfully ran the build > - Checked the signature > - The archive is signed by the key 593A743B belonging to sboi...@apache.org. > However, none of the 2.1.0 RC [VOTE] attempts were started by this person. > Which tells me that the private key is simply shared by a number of the > committers. And there's no guarantee that it hasn't been leaked outside of > the group. And that's pretty serious security flaw, actually. > > Why the release managers aren't using their own keys? It is easy to generate > and sign the keys following guidelines [1]. Committers' keys are easy to > validate against the Apache repository [2] > > Things that need to be improved in the next release: > - neither sha1 nor md5 are trustful checksum'ing methods and aren't > guaranteeing the authenticity of the source archive. We should be switching > to at least sha265 or higher. This has been brought up since the incubation. > And warrants for -1 in the next release. > - why every other RC Vote is started by a different person? > > With regards, > Cos > > [1] https://people.apache.org/keys/committer/ > [2] > https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys > > On Sat, Jul 22, 2017 at 01:00PM, Konstantin Boudnik wrote: >> Am I missing the location of the signing keys? I cannot verivy the signature >> of the archive. >> >> -1 (binding) until then. >> >> Thanks >> Cos >> >> On Thu, Jul 20, 2017 at 03:34PM, Denis Magda wrote: >>> Igniters, >>> >>> Setting off the vote one more time. Hope I’ll be successful this time, >>> keeping fingers crossed :) >>> >>> We have uploaded a 2.1.0 release candidate to >>> https://dist.apache.org/repos/dist/dev/ignite/2.1.0-rc3/ >>> >>> Git tag name is >>> 2.1.0-rc3 >>> >>> This release includes the following changes: >>> >>> Ignite: >>> * Persistent cache store >>> * Added IgniteFuture.listenAsync() and IgniteFuture.chainAsync() mehtods >>> * Deprecated IgniteConfiguration.marshaller >>> * Updated Lucene dependency to version 5.5.2 >>> * Machine learning: implemented K-means clusterization algorithm optimized >>> for distributed storages >>> * SQL: CREATE TABLE and DROP TABLE commands support >>> * SQL: New thin JDBC driver >>> * SQL: Improved performance of certain queries, when affinity node can be >>> calculated in advance >>> * SQL: Fixed return type of AVG() function >>> * SQL: BLOB type support added to thick JDBC driver >>> * SQL: Improved LocalDate, LocalTime and LocalDateTime support for Java 8 >>> * SQL: Added FieldsQueryCursor interface to get fields metadata for >>> SqlFieldsQuery >>> * ODBC: Implemented DML statement batching >>> * Massive performance and stability improvements >>> >>> Ignite.NET: >>> * Automatic remote assembly loading >>> * NuGet-based standalone node deployment >>> * Added conditional data removeal via LINQ DeleteAll >>> * Added TimestampAttribute to control DateTime serialization mode >>> * Added local collections joins support to LINQ. >>> >>> Ignite CPP: >>> * Added Compute::Call and Compute::Broadcast methods >>> >>> Web Console: >>> * Implemented support for UNIQUE indexes for key fields on import model >>> from RDBMS >>> * Added option to show full stack trace on Queries screen >>> * Added PK alias generation on Models screen. >>> >>> Complete list of closed issues: >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND% >>> 20fixVersion%20%3D%202.1%20AND%20(status%20%3D%20closed%20or%20status%20%3D% >>> 20resolved) >>> >>> DEVNOTES >>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=DEVNOTES.txt;hb=refs/tags/2.1.0-rc3 >>> >>> RELEASE NOTES >>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=RELEASE_NOTES.txt;hb=refs/tags/2.1.0-rc3 >>> >>> Please start voting. >>> >>> +1 - to accept Apache Ignite 2.1.0-rc3 >>> 0 - don't care either way >>> -1 - DO NOT accept Apache Ignite 2.1.0-rc3 (explain why) >>> >>> This vote will go for 72 hours. >>> >>> — >>> Denis >>> > >
