Re: [VOTE] JSPWiki version 2.9.0-incubating
Hi folks, just want to remind you of the ongoing vote... Best regards Florian Holeczek Am 27.09.2012 20:11, schrieb Juan Pablo Santos Rodríguez: > Hi, > > This is a call for a vote on releasing the following candidate as Apache > JSPWiki version 2.9.0-incubating. > This will be our first release. A vote was held on the developer mailing > list (http://s.apache.org/dzM) and > passed with 10 +1s (* denoting PPMC): > > Janne Jalkannen* > Florian Holeczek* > Harry Metske* > Andrew Jaquith* > Dirk Frederickx* > Juan Pablo Santos Rodríguez* > Fabian Haupt > Michael Gerzabek > Christophe Dupriez > Roberto Venturi > > We need at least 3 IPMC votes. > > This release fixes the following issues: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732&version=12319521 > > Source and binary files: > http://people.apache.org/~jalkanen/JSPWiki/2.9.0/ > > The tag to be voted upon: > https://svn.apache.org/repos/asf/incubator/jspwiki/tags/jspwiki_2_9_0_incubating_rc3 > > JSPWiki's KEYS file containing PGP keys we use to sign the release: > http://www.apache.org/dist/incubator/jspwiki/KEYS > > > Please download, test, and vote by 72 hours from now. > > [ ] +1 approve [ ] +0 no opinion [ ] -1 disapprove (and reason why) > > > Thanks, > juan pablo > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
Daniel Shahaf wrote on 05.10.2012 at 15:15: > Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400: >> Alternatively, since the chain is CLA -> svn access -> unsigned key in >> svn, perhaps all we really need is to document that a signature >> corresponding to a key in svn is really good enough, and users need >> not be concerned further. >> > > Downloading keys from https://www.apache.org/dist/ or > https://people.apache.org/keys/ is good enough enough for users who > trust root@ and Thawte. A few days ago, I've been learning from a mail on this list, that it was OK to participate in the Apache community using only a pseudonym. The question is, how far is this going? May releases be signed with keys belonging to a pseudonym? PGP/GPG's concept in general is that keys contain their owner's real name. If releases may be signed under pseudonyms, then, if I understood the Apache pseudonym rules right, the only one who would be able to sign such a key was secretary@, since it's the only one who knows the pseudonym's real identity. Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] JSPWiki version 2.9.0-incubating
Hi all, the call is open for over a week now, and we still need at least 2 IPMC votes. Come on, it's not that difficult or time-consuming to have a look at JSPWiki, even if you've never been using it before. All you need is an environment with Subversion, Ant and a JDK (and for giving it a try, a servlet container like Tomcat) - quite a small hurdle. Thanks and Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] JSPWiki version 2.9.0-incubating
Hi Ross, > To do an IP review, which is what's required for release vote, it is time > consuming. That being said, you mentors should be stepping. Seems like you > need some more mentors. thanks for pointing out. I guess the thread at [1] contains all information needed for the IP review, in particular [2], [3] and [4]. Regarding mentors' action on the IP clearance, see [5]. Regards Florian [1] http://incubator.markmail.org/message/vd7vahs6izauvlhx [2] http://www.jspwiki.org/wiki/ApacheRelicensing [3] https://issues.apache.org/jira/browse/JSPWIKI-544 [4] https://issues.apache.org/jira/browse/JSPWIKI-546 [5] http://incubator.markmail.org/message/3vnokdivm63suvok - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] JSPWiki version 2.9.0-incubating
Christian and Craig, thank you very much for having a look at the RC and pointing out these issues. We'll fix these asap. Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
Hi Benson, > A different angle. > > Noah asks me to sign his key. > > Noah tells me that he's committed it to KEYS for CloudStack in svn > revision 314159. > > I examine that revision and see that it was made by, indeed, noah's > Apache ID, which is associated with a particular email address. > > I send email to secretary@, asking "Can you confirm that > nsla...@apache.org corresponds to a CLA signed by a person named Noah > Slater?" > > The secretary says yes. > > I then feel that it's perfectly reasonable to sign a key that has two > things in it: the name Noah Slater and nsla...@apache.org, In this scenario, you assume: * that Noah's account is solely under his own control * that your mail ping pong with secretary is secure * that the ASF did verify Noah's identity correctly * in general, that the whole infrastructure used in this process is secure (trust root, no MITM, the usual stuff) The PGP/GPG WoT is generally built upon assuring the identity of a real person (normally this person's name is the name used in the key, but this is a point often discussed), and upon doing this personally, i.e. not relying on the assumption that others have done it correctly! It's *you* who is signing the key, stating that *you* can certify that this key belongs to that person, and that the person is the one he/she claims to be. After all, other users on the WoT will rely on this information. Signing pseudonym keys is a special thing, see [1] for example. It is important to mention that using a pseudonym doesn't mean that identity verification can't take place - these are two different things. > because if > this process doesn't verify an adequate association, then no one can > trust the Apache IP process, either, and which has the same signature > as the one in SVN. I don't remember what exactly I had to do, but AFAIR not as much that the ASF would be able to sign my real-name-key based on this information. Sad but true. > What am I missing here that would be improved by an in-person > examination of his, oh, passport? A risk of some baroque MITM attack > on Apache's svn server? > > It seems to me that this highlights a global issue with the WoT: how > can I know the standards and level of care of every link in a chain of > trust from me to some other person? > > None of this, of course, changes my concern that the average Apache > user isn't connected, but if the argument is persuasive it should > unleash a positive avalanche of key signing. Of course, the WoT concept results in some effort for every participant. It's a decentralized concept, and this is one of its disadvantages. However, what would now be totally wrong IMO is, that some guys in the ASF redefine these rules in order to make the process of release signing more simple. In the WoT big picture, this would automatically mean that every key that is signed based on these weak rules would have to be marked as marginally trusted (if at all) by people who want to really follow the PGP/GPG WoT concept. I think there are the following basic questions: a) Which basic concept should be used at all? Is it a decentralized Web of Trust, or should a hierarchical Apache CA be established for code signing purposes? b) Should it be possible to contribute to ASF projects using a pseudonym, including code signing? Assuming WoT for a), since there is probably no suiting manpower available for running a CA. Assuming Yes for b) and proposing that there should be rules for pseudonym keys making it possible to distinguish them from real name keys (for example "Superman (PSEUDONYM CODE SIGNING KEY) http://lists.gnupg.org/pipermail/gnupg-users/2004-May/022553.html - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
Hi Marvin, > On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek wrote: >> However, what would now be totally wrong IMO is, that some guys in the ASF >> redefine these rules in order to make the process of release signing more >> simple. In the WoT big picture, this would automatically mean that every key >> that is signed based on these weak rules would have to be marked as >> marginally trusted (if at all) by people who want to really follow the >> PGP/GPG WoT concept. > > In my opinion, we have sufficient expertise here at the ASF to devise an > authentication protocol whose reliability exceeds that of individuals > participating unsupervised in a web of trust, particularly if the protocol > were to incorporate archived video and auditing by a PMC. that may well be. Having read most of the mails on this thread, I was kind of shocked by how carelessly some would sign a key though, too, and that's what I meant by weak rules. Defining a good key signing protocol containing multiple factors, like you've mentioned in a different mail on this thread, would certainly help here, that's true. Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: jspwiki
Hi Jukka, basically yes. Maybe important to explain that the slowdown of activity was due to big changes in the codebase (3.0 branch), which had been planned and started mainly by two committers who then hadn't that much time anymore to finish them (That's life!). It took some time to realize this, but finally we decided to adapt our plans to the new situation, which means continuing with the 2.x codebase and concentrate on graduating asap. Best regards Florian Am 13.10.2012 16:49, schrieb Jukka Zitting: > Hi, > > On Tue, Oct 9, 2012 at 1:05 AM, Jukka Zitting wrote: >> JSPWiki has been troubled for quite some time. > > Following up on this and since JSPWiki is by far our oldest podling, I > felt it appropriate to summarize its status and outlook from the IPMC > perspective in this months board report. Here's my summary: > > JSPWiki is our oldest podling with over five years in the Incubator. > Activity in JSPWiki was very low for a few years and they've yet to > create their first Apache release. Earlier this year they discussed > leaving the Incubator and the ASF since they clearly weren't making > much progress. That discussion led to some revival of activity and > the decision to continue in the Incubator. Unfortunately the podling > no longer has enough active mentors, which has led to some trouble > with premature attempts at cutting releases or graduating. Despite > these troubles the podling is making progress, and with sufficient > help from the IPMC they might well become ready to graduate within > a few quarters. > > JSPWiki committers/mentors, does this sound like an accurate summary? > > BR, > > Jukka Zitting > > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
legal conditions regarding project website content
Hi all, in the JSPWiki project, we have an issue similar to the situation described in [1]. The site www.jspwiki.org has always been the project's main page so far. We're aware of the fact that, after graduation, jspwiki.apache.org will have to be the project's main page (according to [2]). Such a page is already existing at [3]. However, simply deleting all content from www.jspwiki.org and restarting from scratch is not an option, because it would destroy so much useful stuff around the project: www.jspwiki.org is a wiki containing information on the one hand (HOWTOs, etc.), but also source code / artifacts on the other hand (JSPWiki plugins, etc.). Typical of a public wiki, this stuff is coming from various contributors, in many cases without any specifically named license. This is why the wiki is stating "Copyright © 2009 individual contributors.". Will it be possible to host this wiki inside the Apache infrastructure, too, or what to do here? Best regards Florian [1] http://markmail.org/message/nshmdsn3e5aklm4j [2] http://www.apache.org/foundation/marks/pmcs.html#websites [3] http://incubator.apache.org/jspwiki/ - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Shipping binary file in CloudStack release
Hi Noah, > We're just voting on our first release, and I spotted this file in the root > of the source: > > https://git-wip-us.apache.org/repos/asf?p=incubator-cloudstack.git;a=blob_plain;f=waf;hb=HEAD > > It seems to be a sort of hybrid source/binary file. Very strange. > > Can we ship this? it's this one: http://code.google.com/p/waf/ The website says it's licensed under the "New BSD License". Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Content-Encoding, License for .graffle file, Was: Fwd: [VOTE] Release celix-0.0.1-incubating
Hi all, taking this out of the Celix vote thread in order to keep it tidy. Sebb wrote: > The file documents/Celix.graffle does not have a license. In JSPWiki, we have a .graffle file, too. Although this is XML, I consider this a binary file, just like a JPEG image for example. It's the document format of Graffle, a graphics software for Mac OS X. > I agree that the download problem is not a blocker for the release. Until it > is fixed, I suggest adding a note to any vote e-mails to warn reviewers about > the problen. > Using wget, I was able to download the archive, sig and hashes. The problem underneath is: When the browser tells "Accept-Encoding gzip" in its HTTP request header, it can be that a .gz download gets gzipped again. Although the server correctly responses with "Content-Encoding gzip", the browser may not handle this download correctly and save it double gzipped to disk. So you end up with a file .tar.gz which in fact is a .tar.gz.gz format. Gunzipping this manually leads to the correct data. So, * there isn't any real data corruption and * it seems to be at least not only the server part which is to blame here Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Content-Encoding, License for .graffle file, Was: Fwd: [VOTE] Release celix-0.0.1-incubating
Hi Alexander, Alexander Broekhuis wrote: >> In JSPWiki, we have a .graffle file, too. Although this is XML, I consider >> this a binary file, just like a JPEG image for example. It's the document >> format of Graffle, a graphics software for Mac OS X. > > In the Celix case the file can/should be removed. But otherwise, it being a > file created by a tool, a NOTE or README file can be used to "set" the > license. Celix uses this to clearify the license information on some input > files which are processed during the build. thanks for the details. I'll remove it from the JSPWiki artifacts then, too. >> The problem underneath is: When the browser tells "Accept-Encoding gzip" >> in its HTTP request header, it can be that a .gz download gets gzipped >> again. Although the server correctly responses with "Content-Encoding >> gzip", the browser may not handle this download correctly and save it >> double gzipped to disk. So you end up with a file .tar.gz which in fact is >> a .tar.gz.gz format. Gunzipping this manually leads to the correct data. >> So, >> * there isn't any real data corruption and >> * it seems to be at least not only the server part which is to blame here > > This is what I noticed as well. It seems more likely that the browser does > something wrong here. Looking at the headers I couldn't find anything > strange. Funny thing is, for Chrome a bug has been solved to strip an extra > gz from downloaded files: [1] > > [1]: http://code.google.com/p/chromium/issues/detail?id=58168 Bugzilla entries are existing for Firefox, too, but they're not resolved yet. See [1] for example. Regards Florian [1] https://bugzilla.mozilla.org/show_bug.cgi?id=610679 - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[VOTE] Release JSPWiki version 2.9.0-incubating
Hi all, I'd like to start a vote on an incubator release for Apache JSPWiki, version 2.9.0-incubating. Apache JSPWiki (incubating) is a leading open source WikiWiki engine, feature-rich and built around standard J2EE components (Java, servlets, JSP). A vote was held on the developer mailing list [1] and passed with 9 "+1"s [2], two of them from our mentors. This release candidate fixes the following issues: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732&version=12319521 The tag to be voted upon: https://svn.apache.org/repos/asf/incubator/jspwiki/tags/jspwiki_2_9_0_incubating Source and binary files: http://people.apache.org/~florianh/jspwiki-2.9.0-incubating/ Checksums: JSPWiki-2.9.0-incubating-src.zip MD5:287e75857b03b41dca769211591c6144 SHA1: 74b24e526177b7ddf5394b4b96b67bb9081628a4 SHA512: 9a080ed994e4308e4ff6386f6e5e88e42d27fc8a8abe37d2874d3c8477fe097037017fffdd03430cdb0ca7a73efba91bf58e70c1943e08c9565170809daa953a JSPWiki-2.9.0-incubating-bin.zip MD5:7e774dc46c112ca895aad60fb607dc60 SHA1: e529eb02d13f4061534d85dd0e78d67c5dfe29a5 SHA512: 575eae72390178005bf7cf57332af9a1da85515d6fc10cf9c8b3548f50743c0e57c0c6f46bc99b70cd1328ef083fb4a4fe9f3867e9ec7c7e4a640b845a2e2ee4 JSPWiki's KEYS file containing PGP keys we use to sign the release: http://www.apache.org/dist/incubator/jspwiki/KEYS For convenience, this directory includes a binary distribution and a RAT report on the cited tag. You can manually generate the RAT report from a clean source by running the "rat-report" Ant target. Please vote: [ ] +1 approve, release Apache JSPWiki 2.9.0-incubating [ ] +0 no opinion [ ] -1 disapprove (and giving a reason) The vote will be open for at least 72 hours. Best regards Florian Holeczek [1] http://markmail.org/message/gksvnjnru2nhhenf [2] http://markmail.org/message/mht24dwvpmm7xgft - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[RESULT] [VOTE] Release JSPWiki version 2.9.0-incubating PASSED
Hi all, I'd like to close this vote now and thank everyone who participated. The vote has passed successfully with 4 "+1" IPMC votes, here's the tally: Binding votes: +1 Siegfried Goeschl (sgoeschl) +1 Christian Grobmeier (grobmeier) +1 Craig L Russell (clr), voted on jspwiki-dev +1 Mark Struberg (struberg) Non-binding votes: none So, finally, we've now got our first incubator release out! I will copy the artifacts to the dist area in a few hours. Best regards Florian Holeczek - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Machine account request - "www.apache.org"
Hi all, Tony, thanks for your explanation. @Incubator PMC: The topic is "Project ready to comply with ASF mirroring guidelines" from the Incubation Policy: http://incubator.apache.org/incubation/Incubation_Policy.html#Graduating+from+the+Incubator It's only a SHALL task, but to me it even sounds more like a post-graduation task, since the path changes after graduation anyway. Could you please clarify this? Thanks and best regards Florian Holeczek - Ursprüngliche Mail - Von: "Tony Stevenson" An: "Florian Holeczek" CC: infrastruct...@apache.org, "JSPWiki private list" Gesendet: Montag, 6. Februar 2012 23:57:36 Betreff: Re: Machine account request - "www.apache.org" On Mon, Feb 06, 2012 at 10:52:28PM +, Tony Stevenson wrote: > > Florian, > > Please use https://id.apache.org/acreq/ to request accounts. > As per http://www.apache.org/dev/pmc.html#newcommitter If these are existing accounts, then that is different. We do not allow committers to have shell access on any machine other than people.apache.org, other than PMC specific VMs, or if you are a member of Infra. That guide looks very out of date, and is not for mirroring websites, but making your projects' released code available on the mirror service. The best way to do this will be for your released artifacts to go into dist.a.o (SVN repo) and this will need to be setup by infra (on request via a JIRA ticket), and future updates will be automatically pushed to the mirrors. > > > > On Mon, Feb 06, 2012 at 11:39:57PM +0100, Florian Holeczek wrote: > > Userids: juanpablo, florianh > > Machine: www.apache.org > > Groups required: committers, incubator > > Reason: > > > > Hi infrastructure team, > > > > preparing graduation of the JSPWiki project, we'd like to have access to > > www.apache.org in order to be able to follow step #6 of the "Step-By-Step > > Guide To Mirroring Releases" [1]. > > > > Best regards > > Florian Holeczek > > > > [1] http://www.apache.org/dev/mirror-step-by-step.html > > > > -- > > Cheers, > Tony > > > --- > Tony Stevenson > > t...@pc-tony.com // pct...@apache.org > t...@caret.cam.ac.uk > > http://blog.pc-tony.com > > GPG - 1024D/51047D66 > --" > -- Cheers, Tony --- Tony Stevenson t...@pc-tony.com // pct...@apache.org t...@caret.cam.ac.uk http://blog.pc-tony.com GPG - 1024D/51047D66 --" - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [VOTE] Graduate JSPWiki from Incubator
+1 - Ursprüngliche Mail - Von: "Juan Pablo Santos Rodríguez" An: jspwiki-...@incubator.apache.org, general@incubator.apache.org Gesendet: Montag, 16. April 2012 00:04:30 Betreff: [VOTE] Graduate JSPWiki from Incubator Hello all, The Apache JSPWiki project entered Incubator in October of 2007. Since then we have added two new committers from diverse organizations. The codebase of our product has been growing slowly but surely, and we think is mature enough to go through graduation; also, we have made two releases following the ASF policies and guidelines. Thanks to the mentorship we have received through this period, we have learnt to self-govern and grow our community using accepted Apache practices. Given these milestones, I feel that JSPWiki is ready to graduate from Incubator. The first step towards graduation is to vote as a community that JSPWiki is ready to graduate. If the vote is successful, we will draft a board resolution proposal and call it to vote on the general Incubator list. The complete graduation process is described [1]. Please cast your votes: [ ] +1 Graduate JSPWiki from Incubator [ ] +0 Indifferent to graduation status of JSPWiki [ ] +1 Reject graduation of JSPWiki from Incubator This vote will remain open for at least 72 hours from now. [1] http://incubator.apache.org/guides/graduation.html Thanks, juan pablo - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
