incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [VOTE]: Release Apache Dubbo (Incubating) 2.6.2 [RC2]
Date Mon, 04 Jun 2018 08:05:50 GMT
Checks:

Source bundle:
- Hash and signature are correct
- Hash of tag matches the hash quoted in the release vote mail
- Contents of git tag match src bundle except for .gitignore file
- Maven build passes
- LICENSE and NOTICE look correct for source bundle
- LICENSE and NOTICE look correct for binary bundle

+1 to release



I have the following minor review comments (none of which warrant
another RC):

I strongly recommend that you include the full fingerprint of the
signing KEY in the KEYS file as well as the key ID. See [1] for an
example where some of the keys have this. A few years ago an attack was
demonstrated ([2], [3]) that show it was possible to create collisions
in the key ID. Using the full fingerprint mitigates this attack.

No concerns with the file name used. Just a comment that the usual
naming convention would be:
apache-dubbo-incubating-2.6.2-src.zip

I'd suggest including the .gitignore file in the src release.

I was a little surprised that the binary bundle was just the JARs rather
than something that a user could unpack and run via dubbo.sh /
dubbo.bat. There isn't anything wring with this, just not what I am used to.

Mark


[1] https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/KEYS
[2] http://pgp.mit.edu/pks/lookup?op=get&search=0x10C01C5A2F6059E7
[3] http://pgp.mit.edu/pks/lookup?op=get&search=0xB6FB7A022F6059E7

On 29/05/18 09:47, Jun Liu wrote:
> Hello All,
> 
> This is a call for vote to release Apache Dubbo (Incubating) version 2.6.2.
> 
> The Apache Dubbo community has voted on and approved a proposal to release Apache Dubbo
(Incubating) version 2.6.2.
> 
> We now kindly request the Incubator PMC members review and vote on this incubator release.
> 
> Apache Dubbo™ (incubating) is a high-performance, java based, open source RPC framework.
Dubbo offers three key functionalities, which include interface based remote call, fault tolerance
& load balancing, and automatic service registration & discovery. 
> 
> Dubbo vote thread:
> https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E
<https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E>
> 
> Dubbo vote result thread:
> https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E
<https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E>
> 
> The release candidates:
> https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2 <https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2>
> 
> Git tag for the release:
> https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2 <https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2>

> 
> Hash for the release tag:
> 5eeb240337ccfbc820d4bde023d8cf643f33d735
> 
> Release Notes:
> https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md <https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md>
> 
> The artifacts have been signed with Key : 28681CB1, which can be found in the keys file:
> https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS>
> 
> The vote will be open for at least 72 hours or until necessary number of votes are reached.
> 
> Please vote accordingly:
> [ ] +1 approve 
> [ ] +0 no opinion 
> [ ] -1 disapprove with the reason
> 
> Thanks.
> Jun Liu,
> on behalf of The Apache Dubbo (Incubating) Team
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message