Checks: Source bundle: - Hash and signature are correct - Hash of tag matches the hash quoted in the release vote mail - Contents of git tag match src bundle except for .gitignore file - Maven build passes - LICENSE and NOTICE look correct for source bundle - LICENSE and NOTICE look correct for binary bundle
+1 to release I have the following minor review comments (none of which warrant another RC): I strongly recommend that you include the full fingerprint of the signing KEY in the KEYS file as well as the key ID. See [1] for an example where some of the keys have this. A few years ago an attack was demonstrated ([2], [3]) that show it was possible to create collisions in the key ID. Using the full fingerprint mitigates this attack. No concerns with the file name used. Just a comment that the usual naming convention would be: apache-dubbo-incubating-2.6.2-src.zip I'd suggest including the .gitignore file in the src release. I was a little surprised that the binary bundle was just the JARs rather than something that a user could unpack and run via dubbo.sh / dubbo.bat. There isn't anything wring with this, just not what I am used to. Mark [1] https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/KEYS [2] http://pgp.mit.edu/pks/lookup?op=get&search=0x10C01C5A2F6059E7 [3] http://pgp.mit.edu/pks/lookup?op=get&search=0xB6FB7A022F6059E7 On 29/05/18 09:47, Jun Liu wrote: > Hello All, > > This is a call for vote to release Apache Dubbo (Incubating) version 2.6.2. > > The Apache Dubbo community has voted on and approved a proposal to release > Apache Dubbo (Incubating) version 2.6.2. > > We now kindly request the Incubator PMC members review and vote on this > incubator release. > > Apache Dubbo™ (incubating) is a high-performance, java based, open source RPC > framework. Dubbo offers three key functionalities, which include interface > based remote call, fault tolerance & load balancing, and automatic service > registration & discovery. > > Dubbo vote thread: > https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E > > <https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E> > > Dubbo vote result thread: > https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E > > <https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E> > > The release candidates: > https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2 > <https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2> > > Git tag for the release: > https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2 > <https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2> > > Hash for the release tag: > 5eeb240337ccfbc820d4bde023d8cf643f33d735 > > Release Notes: > https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md > <https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md> > > The artifacts have been signed with Key : 28681CB1, which can be found in the > keys file: > https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS > <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS> > > The vote will be open for at least 72 hours or until necessary number of > votes are reached. > > Please vote accordingly: > [ ] +1 approve > [ ] +0 no opinion > [ ] -1 disapprove with the reason > > Thanks. > Jun Liu, > on behalf of The Apache Dubbo (Incubating) Team > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
