ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: [VOTE] Apache Ignite 2.1.0 RC3
Date Mon, 24 Jul 2017 17:46:41 GMT
Hi Cos,

>  Which tells me that the private key is simply shared by a number of the
>  committers. And there's no guarantee that it hasn't been leaked outside of
>  the group. And that's pretty serious security flaw, actually.

That’s not the case. Sam signed and did final technical steps preparing the RC3. I took
care of other formalities.

Personally, did expect this to be an issue. Agree, let’s fix the process making sure the
release manager signs bundles all the times.

> - why every other RC Vote is started by a different person?


Summer time, vacations, day offs…

—
Denis

> On Jul 22, 2017, at 1:26 PM, Konstantin Boudnik <cos@apache.org> wrote:
> 
> Retracting this, found the KEYS (douh...). Still
> 
> -1 (binding). The release isn't signed by the release manager. Someone else
> key is used.
> 
> - Checked the sha1
> - Successfully ran the build 
> - Checked the signature
> - The archive is signed by the key 593A743B belonging to sboikov@apache.org.
>  However, none of the 2.1.0 RC [VOTE] attempts were started by this person.
>  Which tells me that the private key is simply shared by a number of the
>  committers. And there's no guarantee that it hasn't been leaked outside of
>  the group. And that's pretty serious security flaw, actually.
> 
>  Why the release managers aren't using their own keys? It is easy to generate
>  and sign the keys following guidelines [1]. Committers' keys are easy to
>  validate against the Apache repository [2]
> 
> Things that need to be improved in the next release:
> - neither sha1 nor md5 are trustful checksum'ing methods and aren't
>  guaranteeing the authenticity of the source archive. We should be switching
>  to at least sha265 or higher. This has been brought up since the incubation.
>  And warrants for -1 in the next release.
> - why every other RC Vote is started by a different person?
> 
> With regards,
>  Cos
> 
> [1] https://people.apache.org/keys/committer/
> [2] https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
> 
> On Sat, Jul 22, 2017 at 01:00PM, Konstantin Boudnik wrote:
>> Am I missing the location of the signing keys? I cannot verivy the signature
>> of the archive.
>> 
>> -1 (binding) until then.
>> 
>> Thanks
>>  Cos
>> 
>> On Thu, Jul 20, 2017 at 03:34PM, Denis Magda wrote:
>>> Igniters,
>>> 
>>> Setting off the vote one more time. Hope I’ll be successful this time, keeping
fingers crossed :)
>>> 
>>> We have uploaded a 2.1.0 release candidate to
>>> https://dist.apache.org/repos/dist/dev/ignite/2.1.0-rc3/
>>> 
>>> Git tag name is
>>> 2.1.0-rc3
>>> 
>>> This release includes the following changes:
>>> 
>>> Ignite:
>>> * Persistent cache store
>>> * Added IgniteFuture.listenAsync() and IgniteFuture.chainAsync() mehtods
>>> * Deprecated IgniteConfiguration.marshaller
>>> * Updated Lucene dependency to version 5.5.2
>>> * Machine learning: implemented K-means clusterization algorithm optimized
>>> for distributed storages
>>> * SQL: CREATE TABLE and DROP TABLE commands support
>>> * SQL: New thin JDBC driver
>>> * SQL: Improved performance of certain queries, when affinity node can be
>>> calculated in advance
>>> * SQL: Fixed return type of AVG() function
>>> * SQL: BLOB type support added to thick JDBC driver
>>> * SQL: Improved LocalDate, LocalTime and LocalDateTime support for Java 8
>>> * SQL: Added FieldsQueryCursor interface to get fields metadata for
>>> SqlFieldsQuery
>>> * ODBC: Implemented DML statement batching
>>> * Massive performance and stability improvements
>>> 
>>> Ignite.NET:
>>> * Automatic remote assembly loading
>>> * NuGet-based standalone node deployment
>>> * Added conditional data removeal via LINQ DeleteAll
>>> * Added TimestampAttribute to control DateTime serialization mode
>>> * Added local collections joins support to LINQ.
>>> 
>>> Ignite CPP:
>>> * Added Compute::Call and Compute::Broadcast methods
>>> 
>>> Web Console:
>>> * Implemented support for UNIQUE indexes for key fields on import model
>>> from RDBMS
>>> * Added option to show full stack trace on Queries screen
>>> * Added PK alias generation on Models screen.
>>> 
>>> Complete list of closed issues:
>>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20IGNITE%20AND%
>>> 20fixVersion%20%3D%202.1%20AND%20(status%20%3D%20closed%20or%20status%20%3D%
>>> 20resolved)
>>> 
>>> DEVNOTES
>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=DEVNOTES.txt;hb=refs/tags/2.1.0-rc3
>>> 
>>> RELEASE NOTES
>>> https://git-wip-us.apache.org/repos/asf?p=ignite.git;a=blob_plain;f=RELEASE_NOTES.txt;hb=refs/tags/2.1.0-rc3
>>> 
>>> Please start voting.
>>> 
>>> +1 - to accept Apache Ignite 2.1.0-rc3
>>> 0 - don't care either way
>>> -1 - DO NOT accept Apache Ignite 2.1.0-rc3 (explain why)
>>> 
>>> This vote will go for 72 hours.
>>> 
>>> —
>>> Denis
>>> 
> 
> 


Mime
View raw message