Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Zike Yang
> Actually we shouldn't have a "dev" KEYS file. It is confusing. Make sense to me. Thanks, Zike Yang Zike Yang On Fri, Feb 17, 2023 at 5:37 PM Yunze Xu wrote: > > I've synchronized the missed keys from dev to release, including the > following committers: > - Yunze Xu > - Yuto Furuta > - xian

Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Yunze Xu
I've synchronized the missed keys from dev to release, including the following committers: - Yunze Xu - Yuto Furuta - xiangying - Baodi Shi See https://dist.apache.org/repos/dist/release/pulsar/KEYS Regarding whether to drop the KEYS in the dev repo, let's wait more opinions. Thanks, Yunze On F

Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Yunze Xu
> When a new committer wants to cut a release they can ask for help to the PMC to add their KEY to the "release" KEYS I agree. We should only allow a PMC member to update the key. > Seems that you didn't add your public key here [0]. Yes, I found this issue as well, my key is only added to the d

Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Zike Yang
Hi, Yunze Seems that you didn't add your public key here [0]. There is an issue when verifying the Pulsar C++ Client 3.1.2 released files: ``` ➜ pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz' gpg: Signatur

Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Enrico Olivelli
Actually we shouldn't have a "dev" KEYS file. It is confusing. I suggest dropping it. When a new committer wants to cut a release they can ask for help to the PMC to add their KEY to the "release" KEYS Enrico Il giorno ven 17 feb 2023 alle ore 09:21 Yunze Xu ha scritto: > > Oh that's right. Th

Re: Inconsistent GPG keys in dev and release repositories

2023-02-17 Thread Yunze Xu
Oh that's right. Then we have to update one of them. Thanks, Yunze On Fri, Feb 17, 2023 at 3:02 PM Zike Yang wrote: > > Hi, Yunze > > I think the KEYS file in the release repo is necessary. They are both > used to verify the release file. Otherwise, the user will fail when > checking the GPG sig

Re: Inconsistent GPG keys in dev and release repositories

2023-02-16 Thread Zike Yang
Hi, Yunze I think the KEYS file in the release repo is necessary. They are both used to verify the release file. Otherwise, the user will fail when checking the GPG signature on the release file. BR, Zike Yang On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu wrote: > > Hi all, > > I found the GPG keys,

Inconsistent GPG keys in dev and release repositories

2023-02-16 Thread Yunze Xu
Hi all, I found the GPG keys, which are used in verifying the signatures of release candidates, are much different in dev and release repositories: https://dist.apache.org/repos/dist/dev/pulsar/KEYS https://dist.apache.org/repos/dist/release/pulsar/KEYS >From here [1], it seems like we need to ap