incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jun Liu <liu...@apache.org>
Subject Re: [VOTE]: Release Apache Dubbo (Incubating) 2.6.2 [RC2]
Date Mon, 04 Jun 2018 10:21:18 GMT
> I strongly recommend that you include the full fingerprint of the
> signing KEY in the KEYS file as well as the key ID. See [1] for an
> example where some of the keys have this. A few years ago an attack was
> demonstrated ([2], [3]) that show it was possible to create collisions
> in the key ID. Using the full fingerprint mitigates this attack.

The KEYS file I have updated with the full fingerprint added.

> No concerns with the file name used. Just a comment that the usual
> naming convention would be:
> apache-dubbo-incubating-2.6.2-src.zip

Will follow the naming convention for the next release.

> I'd suggest including the .gitignore file in the src release.

Will also add in the next release.

> I was a little surprised that the binary bundle was just the JARs rather
> than something that a user could unpack and run via dubbo.sh /
> dubbo.bat. There isn't anything wring with this, just not what I am used to.

Sure it would better be a packet for users to start Dubbo journey quickly, for example, packed
samples or quick start guides which can be started by a start.sh. We are preparing for these
samples and plan to replace current binary release in the next release.

Best regards,
Jun

> On 4 Jun 2018, at 4:05 PM, Mark Thomas <markt@apache.org> wrote:
> 
> Checks:
> 
> Source bundle:
> - Hash and signature are correct
> - Hash of tag matches the hash quoted in the release vote mail
> - Contents of git tag match src bundle except for .gitignore file
> - Maven build passes
> - LICENSE and NOTICE look correct for source bundle
> - LICENSE and NOTICE look correct for binary bundle
> 
> +1 to release
> 
> 
> 
> I have the following minor review comments (none of which warrant
> another RC):
> 
> I strongly recommend that you include the full fingerprint of the
> signing KEY in the KEYS file as well as the key ID. See [1] for an
> example where some of the keys have this. A few years ago an attack was
> demonstrated ([2], [3]) that show it was possible to create collisions
> in the key ID. Using the full fingerprint mitigates this attack.
> 
> No concerns with the file name used. Just a comment that the usual
> naming convention would be:
> apache-dubbo-incubating-2.6.2-src.zip
> 
> I'd suggest including the .gitignore file in the src release.
> 
> I was a little surprised that the binary bundle was just the JARs rather
> than something that a user could unpack and run via dubbo.sh /
> dubbo.bat. There isn't anything wring with this, just not what I am used to.
> 
> Mark
> 
> 
> [1] https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/KEYS
> [2] http://pgp.mit.edu/pks/lookup?op=get&search=0x10C01C5A2F6059E7
> [3] http://pgp.mit.edu/pks/lookup?op=get&search=0xB6FB7A022F6059E7
> 
> On 29/05/18 09:47, Jun Liu wrote:
>> Hello All,
>> 
>> This is a call for vote to release Apache Dubbo (Incubating) version 2.6.2.
>> 
>> The Apache Dubbo community has voted on and approved a proposal to release Apache
Dubbo (Incubating) version 2.6.2.
>> 
>> We now kindly request the Incubator PMC members review and vote on this incubator
release.
>> 
>> Apache Dubbo™ (incubating) is a high-performance, java based, open source RPC framework.
Dubbo offers three key functionalities, which include interface based remote call, fault tolerance
& load balancing, and automatic service registration & discovery. 
>> 
>> Dubbo vote thread:
>> https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E
<https://lists.apache.org/thread.html/38560cb159a5c32d0cf98485c9fe791505fbc52d18d86a37713582f0@%3Cdev.dubbo.apache.org%3E>
>> 
>> Dubbo vote result thread:
>> https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E
<https://lists.apache.org/thread.html/0b1e022a32e136ff0a9b42e7ef7da5ccc7d256d175394c2d5858f1cf@%3Cdev.dubbo.apache.org%3E>
>> 
>> The release candidates:
>> https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2 <https://dist.apache.org/repos/dist/dev/incubator/dubbo/2.6.2>
>> 
>> Git tag for the release:
>> https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2 <https://github.com/apache/incubator-dubbo/tree/dubbo-2.6.2>

>> 
>> Hash for the release tag:
>> 5eeb240337ccfbc820d4bde023d8cf643f33d735
>> 
>> Release Notes:
>> https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md <https://github.com/apache/incubator-dubbo/blob/2.6.2-release/CHANGES.md>
>> 
>> The artifacts have been signed with Key : 28681CB1, which can be found in the keys
file:
>> https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS <https://dist.apache.org/repos/dist/dev/incubator/dubbo/KEYS>
>> 
>> The vote will be open for at least 72 hours or until necessary number of votes are
reached.
>> 
>> Please vote accordingly:
>> [ ] +1 approve 
>> [ ] +0 no opinion 
>> [ ] -1 disapprove with the reason
>> 
>> Thanks.
>> Jun Liu,
>> on behalf of The Apache Dubbo (Incubating) Team
>> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message