Hi Yong, Yes, the files can be different in dev and releases directory, but the artifact files prepared for releases should be signed using key exist in both directories. If PMC are vetting on release artifacts [1], including validating the signature, it needs to use the same key to sign it.
Preferable the KEYS file should be the same bc I am not sure in what scenarios they should be different. - Henry [1] http://www.apache.org/legal/release-policy.html#release-definition On Wed, Mar 10, 2021 at 6:01 PM Yong Zhang <zhangyong1025...@gmail.com> wrote: > Thanks Penghui. > > Henry, > the /dev/ directory can be accessed by all committers, so the committers > can add themself keys into the KEYS file. But the /release/ directory only > can be accessed by PMCs, the committers need to let PMC help to add > their key into the release directory. It's ok if the KEYS file is > different, we > only need to make sure the signed key exists in both files. > > On Wed, 10 Mar 2021 at 03:24, Henry Saputra <henry.sapu...@gmail.com> > wrote: > > > Why does the KEYS file for /dev/ is different from the one in /release/ > > directory? > > > > When users download the artifact they will verify against the one in > > /release/ directory, right? > > > > - Henry > > > > On Tue, Mar 9, 2021 at 2:48 AM Yong Zhang <zhangyong1025...@gmail.com> > > wrote: > > > > > For the signature issue, I think we should use this keys > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > > > > > I updated the Pulsar release process > > > https://github.com/apache/pulsar/wiki/Release-process#8-run-the-vote > > > > > > The keys in the file > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > are the PMC keys. They have permission to promote a candidate > > > release to a stable release. > > > > > > For the docker image build, it's might an issue but it's not a block > > > for releasing 2.7.1. As you see in the release process. We usually > > > build an image from the GitHub repository, not the source tarball. > > > > > > On Tue, 9 Mar 2021 at 15:36, Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > > > Yong, > > > > I cannot build the docker image from the sources extracted by the > > > > source tarball. > > > > > > > > This is probably a big issue, because as I cannot build the docker > > > > image I cannot run tests on downstream applications. > > > > > > > > I am not sure this was possible with 2.7.0, so I don't know if this > is > > > > a blocker for the release > > > > > > > > What can we do in order to test the docker image ? > > > > > > > > Enrico > > > > > > > > > > > > > > > > Executing command line: > > > > > > > > > > > > > > [/Users/enrico.olivelli/Downloads/pulsar271/pulsar-2.7.1-candidate-1/apache-pulsar-2.7.1/docker/pulsar/../../pulsar-client-cpp/docker/build-wheels.sh, > > > > 3.7 cp37-cp37m] > > > > > > > > fatal: not a git repository (or any of the parent directories): .git > > > > > > > > [INFO] --- exec-maven-plugin:1.6.0:exec > > > > (build-pulsar-clients-python-35) @ pulsar-docker-image --- > > > > > > > > fatal: not a git repository (or any of the parent directories): .git > > > > > > > > [ERROR] Command execution failed. > > > > > > > > org.apache.commons.exec.ExecuteException: Process exited with an > > > > error: 128 (Exit value: 128) > > > > > > > > at org.apache.commons.exec.DefaultExecutor.executeInternal > > > > (DefaultExecutor.java:404) > > > > > > > > at org.apache.commons.exec.DefaultExecutor.execute > > > > (DefaultExecutor.java:166) > > > > > > > > at org.codehaus.mojo.exec.ExecMojo.executeCommandLine > > > > (ExecMojo.java:804) > > > > > > > > at org.codehaus.mojo.exec.ExecMojo.executeCommandLine > > > > (ExecMojo.java:751) > > > > > > > > at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313) > > > > > > > > at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo > > > > (DefaultBuildPluginManager.java:137) > > > > > > > > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > > > > (MojoExecutor.java:210) > > > > > > > > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > > > > (MojoExecutor.java:156) > > > > > > > > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > > > > (MojoExecutor.java:148) > > > > > > > > at > > > > > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > > > > (LifecycleModuleBuilder.java:117) > > > > > > > > at > > > > > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > > > > (LifecycleModuleBuilder.java:81) > > > > > > > > at > > > > > > > > > > org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build > > > > (SingleThreadedBuilder.java:56) > > > > > > > > at org.apache.maven.lifecycle.internal.LifecycleStarter.execute > > > > (LifecycleStarter.java:128) > > > > > > > > at org.apache.maven.DefaultMaven.doExecute > (DefaultMaven.java:305) > > > > > > > > at org.apache.maven.DefaultMaven.doExecute > (DefaultMaven.java:192) > > > > > > > > at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) > > > > > > > > at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) > > > > > > > > at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) > > > > > > > > at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) > > > > > > > > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native > > > > Method) > > > > > > > > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke > > > > (NativeMethodAccessorImpl.java:62) > > > > > > > > at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke > > > > (DelegatingMethodAccessorImpl.java:43) > > > > > > > > at java.lang.reflect.Method.invoke (Method.java:566) > > > > > > > > at > org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced > > > > (Launcher.java:282) > > > > > > > > at org.codehaus.plexus.classworlds.launcher.Launcher.launch > > > > (Launcher.java:225) > > > > > > > > at > > org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode > > > > (Launcher.java:406) > > > > > > > > at org.codehaus.plexus.classworlds.launcher.Launcher.main > > > > (Launcher.java:347) > > > > > > > > Il giorno mar 9 mar 2021 alle ore 08:04 Enrico Olivelli > > > > <eolive...@gmail.com> ha scritto: > > > > > > > > > > Yong, > > > > > I cannot find your signature at > > > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > > > > > can you please add yourself ? > > > > > otherwise I cannot validate the digital signatures of the artifacts > > > > > > > > > > Thanks > > > > > Enrico > > > > > > > > > > Il giorno lun 8 mar 2021 alle ore 05:41 Yong Zhang < > y...@apache.org> > > > ha > > > > scritto: > > > > > > > > > > > > Hi all. > > > > > > > > > > > > This is the first release candidate for Apache Pulsar, version > > 2.X.0. > > > > > > > > > > > > It fixes the following issues: > > > > > > > > > > > > > > > > https://github.com/apache/pulsar/pulls?page=1&q=is%3Apr+label%3Arelease%2F2.7.1+is%3Aclosed+-label%3Acomponent%2Fdocumentation > > > > > > > > > > > > *** Please download, test and vote on this release. This vote > will > > > > stay open > > > > > > for at least 72 hours *** > > > > > > > > > > > > Note that we are voting upon the source (tag), binaries are > > provided > > > > for > > > > > > convenience. > > > > > > > > > > > > Source and binary files: > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-2.7.1-candidate-1/ > > > > > > > > > > > > SHA-1 checksums: > > > > > > > > > > > > 8534bcac8cdc4cd54b99d721fac6e7b3abe4b9a2 > > > > apache-pulsar-2.7.1-bin.tar.gz > > > > > > a4c2f74481d066cb51822d9d54fc59e18033c773 > > > > apache-pulsar-2.7.1-src.tar.gz > > > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachepulsar-1079 > > > > > > > > > > > > The tag to be voted upon: > > > > > > v2.7.1-candidate-1 (8ea4a39dc8bf6f2f23a160688bb70a80f6acfd4d) > > > > > > https://github.com/apache/pulsar/releases/tag/v2.7.1-candidate-1 > > > > > > > > > > > > Pulsar's KEYS file containing PGP keys we use to sign the > release: > > > > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > > > > > > > Please download the the source package, and follow the README to > > > build > > > > > > and run the Pulsar standalone service. > > > > > > > > > >
