Hi Xuanwo, Thank you very much for your suggestions. I'm very sorry, perhaps my understanding of the release signature is a little misguided. This is because we feel that there can only be one download address for KEYS, e.g. https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If there can only be one public key, then there can only be one private key. So we previously felt that all published content can always have only one private key to sign. That's why we use this mode. Because we would think that if a different person were to sign it, then the public key would change and the previous release would not be verified. For example, The A RM signed the released version 1.0.0. The B RM signed the released version 1.1.0. If B replaces the public key https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then version 1.0.0 will fail to verify it if you use the same public key.
Best regards, LinkinStar On Wed, Dec 20, 2023 at 3:06 PM Xuanwo <xua...@apache.org> wrote: > > Regarding the signature issue you mentioned, only release manager and > joyqi > > know the secret GPG keys. This is to ensure that no matter what the > problem > > is, there is someone available to help resolve issues that arise in the > > release. > > I feel like it's better to use different gpg keys that owned by RM > themselves. > > As the community expands, we'll welcome new PPMC members and Release > Managers (RMs) from outside your company. Regarding security, it's risky > for RMs to share GPG keys. In terms of community independence, the release > process should not be overly reliant on joyqi. Should joyqi be unavailable > or preoccupied, can the release process continue without interruption? > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > Hi Xuanwo, > > > > Firstly, these files in the vaunt folder are reward badges for user > > contributions. For now, we are using it. > > Regarding the signature issue you mentioned, only release manager and > joyqi > > know the secret GPG keys. This is to ensure that no matter what the > problem > > is, there is someone available to help resolve issues that arise in the > > release. > > > > Best regards, > > LinkinStar > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> wrote: > > > >> Hi, > >> > >> I found those images are included in source tarball: > >> > >> - .vaunt/bug.png > >> - .vaunt/enhancement.png > >> > >> Are they needed by users? Is it possible to remove them from the src > >> release? > >> > >> Regarding PGP signatures, I'm confident that all are valid. But I found > >> that those tarball > >> are signed by jo...@apache.org which is not the release manager. > >> > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have > >> you signed those > >> tarballs through CI with the key stored as GitHub secrets? > >> > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > >> > Hello, > >> > > >> > This is a call for vote to release Apache Answer(Incubating) > version > >> > v1.2.1-RC1. > >> > > >> > The vote thread: > >> > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > >> > > >> > Vote Result: > >> > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > >> > > >> > The release candidates: > >> > > >> > > >> > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > >> > > >> > Release notes: > >> > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > >> > > >> > Git tag for the release: > >> > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > >> > > >> > Git commit id for the release: > >> > > >> > > >> > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > >> > > >> > Keys to verify the Release Candidate: > >> > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > >> > > >> > The vote will be open for at least 72 hours or until the necessary > >> > number of votes are reached. > >> > > >> > Please vote accordingly: > >> > > >> > [ ] +1 approve > >> > [ ] +0 no opinion > >> > [ ] -1 disapprove with the reason > >> > > >> > Checklist for reference: > >> > > >> > [ ] Download links are valid. > >> > [ ] Checksums and PGP signatures are valid. > >> > [ ] Source code distributions have correct names matching the > current > >> > release. > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > >> > [ ] All files have license headers if necessary. > >> > [ ] No unlicensed compiled archives bundled in source archive. > >> > > >> > To compile from the source, please refer to: > >> > > >> > https://github.com/apache/incubator-answer#building-from-source > >> > > >> > Thanks, > >> > LinkinStar > >> > >> -- > >> Xuanwo > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >> For additional commands, e-mail: general-h...@incubator.apache.org > >> > >> > > -- > Xuanwo > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
