On 11/5/2018 1:41 AM, Peter kovacs wrote: > Source signing will be done tonight. > Thanks Andrea for the detailed line-up. > Also I hope all requirements are met in the second mail. > However there seems a misunderstanding on Keith side. It is not required to > vote all test marks. > It is required to fill in general and then what OS Version you have tested > and if you have tested from source or not. > Simone state in order to create a binding vote it has to be tested from > source. > We need 3 of those. > Also we should have an overview which Binaries has been reviewed. Peter; Below are the statements from your second vote thread that had me confused: > In order to create a binding vote individuals are REQUIRED to > > * download all signed _source code_ packages onto their own hardware, > > * verify that they meet all requirements of ASF policy on releases > as described below, > > * validate all cryptographic signatures, > > * compile as provided, and test the result on their own platform. > > In order to create a normal vote individuals are REQUIRED to > > * download all signed _binary_ packages onto their own hardware, > > * verify that they meet all requirements of ASF policy on releases > as described below, > > * validate all cryptographic signatures, > > * compile as provided, and test the result on their own platform. > > Looking at the above through the lens of a newcomer to the project wanting to participate in there first vote the description of the requirements of a normal vote, as opposed to the binding vote described above it vote above it, requires that I download and compile the source. If that was not the intention you meant to convey I truly apologize. The description of the 2 types of possible votes does created confusion in the mind of at least this one individual.
Regards Keith > That is all. > All the best > Peter > > Am 5. November 2018 00:22:33 MEZ schrieb Matthias Seidel > <matthias.sei...@hamburg.de>: >> Hi Andrea, >> >> Am 05.11.18 um 00:07 schrieb Andrea Pescetti: >>> On 31/10/2018 Marcus wrote: >>>> To make it an official vote I miss the following information: >>>> - What exactly do we vote for (link to the source and binaries)? >>> >>> Yes please, let's try to be reasonably serious about releases: due to >>> legal implications (among other things), there are some formalities >>> that are required; nothing more than what we did for any other >> Release >>> Candidate in history. >>> >>> I assume we are voting on (this is the only 4.1.6-RC1 available, but >>> it needs to be recorded in the vote discussion!) >>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/ >>> >>>> - What is the time for the vote? Please more than just the normal 72 >>>> hours so that we all can use a weekend for more testing. >>> >>> Elsewhere Peter mentioned until Wednesday 7 November but again this >>> should be in the vote thread (so, here). >>> >>> And most important: the Release Manager (Peter) must sign the source >>> files. I've just spent a lot of time trying to make sense of various >>> ways to have multiple signature in one file, concluding that it is >>> easy to do that for a binary signature, but it is a hack to do so for >>> the ASCII-armored signatures we use. >>> >>> So, in short, Peter as the Release Manager should rectify things by: >>> >>> 1) Confirming that the URL and deadline above are correct >>> >>> 2) Replace, before the vote ends, current signatures with only his >>> signature as follows: >>> >>> $ svn checkout >>> https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/source >>> $ rm *.asc >>> $ gpg -a -b --digest-algo=SHA512 *.bz2 >>> $ gpg -a -b --digest-algo=SHA512 *.gz >>> $ gpg -a -b --digest-algo=SHA512 *.zip >>> $ svn commit >>> >>> About this second item, I see that Matthias concatenated his >> signature >>> to Jim's one: this is possible for the binary format but GPG will >>> complain if this is done for the ASCII format, and as you can see by >>> searching the net there is no clean way to do it. I checked back in >>> version 4.1.2 (that was signed by Juergen and me) and I found out >> that >>> I had simply replaced Juergen's signature with mine in that case (I >>> was the Release Manager for 4.1.2). We can do the same this time. >> >> I found double signatures in 4.1.3: >> https://archive.apache.org/dist/openoffice/4.1.3/source/apache-openoffice-4.1.3-r1761381-src.zip.asc >> >> But yes, GPG complains about it and will only verify the first. So >> Peter's signature should be the only one... >> >> (Of course he could also use our hash-sign.sh, which is fixed now for >> SHA512). >> >> Regards, >> >> Matthias >> >>> >>> Regards, >>> Andrea. >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org >>> For additional commands, e-mail: dev-h...@openoffice.apache.org >>>
signature.asc
Description: OpenPGP digital signature
