> I strongly recommend that you include the full fingerprint of the > signing KEY in the KEYS file as well as the key ID. See [1] for an > example where some of the keys have this. A few years ago an attack was > demonstrated ([2], [3]) that show it was possible to create collisions > in the key ID. Using the full fingerprint mitigates this attack.
The KEYS file I have updated with the full fingerprint added. > No concerns with the file name used. Just a comment that the usual > naming convention would be: > apache-dubbo-incubating-2.6.2-src.zip Will follow the naming convention for the next release. > I'd suggest including the .gitignore file in the src release. Will also add in the next release. > I was a little surprised that the binary bundle was just the JARs rather > than something that a user could unpack and run via dubbo.sh / > dubbo.bat. There isn't anything wring with this, just not what I am used to. Sure it would better be a packet for users to start Dubbo journey quickly, for example, packed samples or quick start guides which can be started by a start.sh. We are preparing for these samples and plan to replace current binary release in the next release. Best regards, Jun > On 4 Jun 2018, at 4:05 PM, Mark Thomas <ma...@apache.org> wrote: > > Checks: > > Source bundle: > - Hash and signature are correct > - Hash of tag matches the hash quoted in the release vote mail > - Contents of git tag match src bundle except for .gitignore file > - Maven build passes > - LICENSE and NOTICE look correct for source bundle > - LICENSE and NOTICE look correct for binary bundle > > +1 to release > > > > I have the following minor review comments (none of which warrant > another RC): > > I strongly recommend that you include the full fingerprint of the > signing KEY in the KEYS file as well as the key ID. See [1] for an > example where some of the keys have this. A few years ago an attack was > demonstrated ([2], [3]) that show it was possible to create collisions > in the key ID. Using the full fingerprint mitigates this attack. > > No concerns with the file name used. Just a comment that the usual > naming convention would be: > apache-dubbo-incubating-2.6.2-src.zip > > I'd suggest including the .gitignore file in the src release. > > I was a little surprised that the binary bundle was just the JARs rather > than something that a user could unpack and run via dubbo.sh / > dubbo.bat. There isn't anything wring with this, just not what I am used to. > > Mark > > > [1] https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/KEYS > [2] http://pgp.mit.edu/pks/lookup?op=get&search=0x10C01C5A2F6059E7 > [3] http://pgp.mit.edu/pks/lookup?op=get&search=0xB6FB7A022F6059E7 > > On 29/05/18 09:47, Jun Liu wrote: >> Hello All, >> >> This is a call for vote to release Apache Dubbo (Incubating) version 2.6.2. >> >> The Apache Dubbo community has voted on and approved a proposal to release >> Apache Dubbo (Incubating) version 2.6.2. >> >> We now kindly request the Incubator PMC members review and vote on this >> incubator release. >> >> Apache Dubbo™ (incubating) is a high-performance, java based, open source >> RPC framework. Dubbo offers three key functionalities, which include >> interface based remote call, fault tolerance & load balancing, and automatic >> service registration & discovery. >> >> Dubbo vote thread: >> https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E >> >> <https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E> >> >> Dubbo vote result thread: >> https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E >> >> <https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E> >> >> The release candidates: >> https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2 >> <https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2> >> >> Git tag for the release: >> https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2 >> <https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2> >> >> Hash for the release tag: >> 5eeb240337ccfbc820d4bde023d8cf643f33d735 >> >> Release Notes: >> https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md >> <https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md> >> >> The artifacts have been signed with Key : 28681CB1, which can be found in >> the keys file: >> https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS >> <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS> >> >> The vote will be open for at least 72 hours or until necessary number of >> votes are reached. >> >> Please vote accordingly: >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove with the reason >> >> Thanks. >> Jun Liu, >> on behalf of The Apache Dubbo (Incubating) Team >> >
