incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Feinauer <j.feina...@pragmaticminds.de>
Subject Re: [VOTE] Release Apache Milagro (incubating) Decentralized Trust Authority v0.1.0 (alpha release)
Date Wed, 02 Oct 2019 10:54:23 GMT
Hi all,

I change my vote to 

+1 (binding)

It seems like I had some issues on my machine and on another PC the builds work.
So my "major" concerns are no longer true and I change my vote.
So, from below my checks:
    - Keys present in KEYS file
    - Signatures and Hash match for all 3 artifacts
    - DISCLAIMER is present, see findings below
    - LICENSE and NOTICE
    - Building of sources 
    	- works for crypto C (`make`)
    	- works for crypt js (`npm install` and `npm test`)
    	- works for dta

The other "minor" findings should be corrected for the next release (see below).
Thanks to John for his support and work helping me with the release.

Best
Julian


Am 19.09.19, 23:01 schrieb "Julian Feinauer" <j.feinauer@pragmaticminds.de>:

    Hi,
    
    let me initially say, that the release locks pretty good and well prepared. But, unfortunately
I found two issues I would consider major, thus I vote
    
    -1 (binding)
    
    Remember, this is no VETO so this does not necessarily stop the release. But from my experience
its easier to fix things while you still are in release mode than after one. The two major
issues I see are the Headers and the failing build of dta.
    
    I checked:
    - Keys present in KEYS file
    - Signatures and Hash match for all 3 artifacts
    - DISCLAIMER is present, see findings below
    - LICENSE and NOTICE
    - Building of sources 
    	- works for crypto C (`make`)
    	- works for crypt js (`npm install`) but `npm test` fails, see below
    	- fails for dta, see below
    
    (Minor) Findings:
    - Why is the DISCLAIMER different(ly formatted) for dta than for crypto c/js ?
    
    (Less Minor) Findings:
    - Several Files do not have apache headers.  But at least "code" files like Dockerfile's
and bash scripts should for sure have some (also CMake).
    
    In dta these are, e.g.
    /.dockerignore
      25   ./.gitignore
      26   ./.travis.yml
      27   ./Dockerfile
      28   ./Dockerfile-alpine
      29   ./build-static.sh
      30   ./build.sh
      31   ./go.mod
      32   ./go.sum
      33   ./lint.sh
      34   ./report
      35   ./test.sh
      36   ./cmd/servicetester/e2e_test.sh
      37   ./cmd/servicetester/fulltest.sh
      38   ./cmd/servicetester/id_test.sh
      39   ./libs/crypto/libpqnist/CMakeLists.txt
      40   ./libs/crypto/libpqnist/CPackConfig.cmake
      41   ./libs/crypto/libpqnist/VERSION
      42   ./libs/crypto/libpqnist/cmake_uninstall.cmake.in
      43   ./libs/crypto/libpqnist/examples/CMakeLists.txt
      44   ./libs/crypto/libpqnist/include/CMakeLists.txt
      45   ./libs/crypto/libpqnist/src/CMakeLists.txt
      46   ./libs/crypto/libpqnist/test/smoke/CMakeLists.txt
      47   ./libs/crypto/libpqnist/testVectors/aes/CBCMMT256.rsp
      48   ./libs/documents/docs.pb.go
      49   ./libs/documents/docs.proto
      50   ./libs/documents/docs.validator.pb.go
      51   ./pkg/safeguardsecret/README.md
      52   ./pkg/safeguardsecret/open-api.yaml
    
    - When trying to build dta on MacOs via Docker I Get
    
    Digest: sha256:b88f8848e9a1a4e4558ba7cfc4acc5879e1d0e7ac06401409062ad2627e6fb58
    Status: Downloaded newer image for ubuntu:latest
     ---> 2ca708c1c9cc
    Step 2/29 : RUN apt-get update &&  apt-get install -y --no-install-recommends
    ca-certificates     cmake     g++     gcc     git     make     libtool     automake  
  libssl-dev
     ---> Running in f8a17dc7ab42
    Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
      403  Forbidden [IP: 91.189.88.31 80]
    Err:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
      403  Forbidden [IP: 91.189.88.31 80]
    Err:3 http://security.ubuntu.com/ubuntu bionic-security InRelease
      403  Forbidden [IP: 91.189.88.31 80]
    Err:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
      403  Forbidden [IP: 91.189.88.31 80]
    Reading package lists...
    E: The repository 'http://archive.ubuntu.com/ubuntu bionic InRelease' is not signed.
    E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease  403  Forbidden
[IP: 91.189.88.31 80]
    E: The repository 'http://archive.ubuntu.com/ubuntu bionic-updates InRelease' is not signed.
    E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease  403
 Forbidden [IP: 91.189.88.31 80]
    E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease 
403  Forbidden [IP: 91.189.88.31 80]
    E: The repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' is not
signed.
    E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease 
403  Forbidden [IP: 91.189.88.31 80]
    E: The repository 'http://archive.ubuntu.com/ubuntu bionic-backports InRelease' is not
signed.
    The command '/bin/sh -c apt-get update &&  apt-get install -y --no-install-recommends
    ca-certificates     cmake     g++     gcc     git     make     libtool     automake  
  libssl-dev' returned a non-zero code: 100
    
    `npm test` fails for me with the following:
    1 failing
    
      1)
           TEST MPIN BLS461
             test MPin Kangaroo:
         AssertionError: expected 0 to equal 1111
          at Context.<anonymous> (test/test_MPIN.js:310:31)
          at processImmediate (internal/timers.js:443:21)
    
    
    
    npm ERR! Test failed.  See above for more details.
    
    Best and feel free to ask if something is unclear or needs discussion!
    Julian
    
    Am 19.09.19, 13:58 schrieb "Dave Fisher" <wave@apache.org>:
    
        Hi -
        
        +1 (binding)
        
        Keys present
        DISCLAIMER checked - See (3)
        LICENSE and NOTICE checked
        Signature and Hash checked
        Rat Check run - See (2) below.
        Did NOT build, I’m on a macOS - See (1) below.
        
        (1) In subsequent releases please make sure that the instructions are to build from
the source releases and NOT the GitHub tags as these are not immutable. Also the Docker files
and build shell scripts refer to GitHub and not the source release. I understand that these
distinctions may be difficult considering CI/CD vs. Release Policy.
        
        I also think that the Milagro Crypto dependency should be picked from a release and
not a Github tag.
        
        (2) I believe License headers should be added to:
          ./Dockerfile
          ./Dockerfile-alpine
          ./build-static.sh
          ./build.sh
          ./go.mod
          ./go.sum
          ./lint.sh
          ./test.sh 
          ./cmd/servicetester/e2e_test.sh
          ./cmd/servicetester/fulltest.sh
          ./cmd/servicetester/id_test.sh
          ./libs/crypto/libpqnist/CMakeLists.txt
          ./libs/crypto/libpqnist/CPackConfig.cmake
          ./libs/crypto/libpqnist/cmake_uninstall.cmake.in
          ./libs/crypto/libpqnist/examples/CMakeLists.txt
          ./libs/crypto/libpqnist/include/CMakeLists.txt
          ./libs/crypto/libpqnist/src/CMakeLists.txt
          ./libs/crypto/libpqnist/test/smoke/CMakeLists.txt
          ./libs/crypto/libpqnist/testVectors/aes/CBCMMT256.rsp
           ./libs/documents/docs.proto
          ./pkg/safeguardsecret/README.md
        
        (3) Consider use of the DISCLAIMER-WIP.
        
        Good to see progress here.
        
        Regards,
        Dave
        
        > On Sep 17, 2019, at 9:02 AM, John McCane-Whitney <john@qredo.com> wrote:
        > 
        > Hi,
        > 
        > This is a call to vote to release Apache Milagro (incubating) Decentralized Trust
Authority v0.1.0 (alpha release).
        > 
        > The Apache Milagro (incubating) community has voted to approve this release with
6 +1 votes.  The vote result thread can be found here:
        > 
        > https://lists.apache.org/thread.html/d4b0d5c1c1a2ed991104f0804d6faaaf70f32a865316d5aaf91e18bf@%3Cdev.milagro.apache.org%3E
        > 
        > RELEASE TAG:
        > Milagro Decentralized Trust Authority v0.1.0 (alpha release) release tag:
        > https://github.com/apache/incubator-milagro-dta/releases/tag/0.1.0
        > Please see the release notes at the above link for a full description and release
rationale.
        > 
        > DESCRIPTION SUMMARY:
        > The Apache Milagro (Incubating) Decentralized Trust Authority (D-TA) is a collaborative
key management server. It has two primary functions:
        > 
        > -Issue shares of identity-based Type-3 pairing secrets for initializing zero-knowledge
proof multi-factor authentication (ZKP-MFA) networks of clients and authentication servers.
        > -Safeguards shares of generic secrets, acting independently but in conjunction
with other D-TA nodes, for the benefit of other D-TA nodes.
        > 
        > In the use case where it issues shares, the D-TA holds nothing except for its
Master Secret and acts as a distributed private key generation server. In the use case where
it is safeguarding shares of secrets, it is up to the application developer to implement back-end
application logic to hold those shares securely. Examples include using Hardware Security
Modules (HSMs) via an on-board PKCS#11 implementation to create a realm of key encryption
keys, or multi-party computation through BLS signature aggregation.
        > 
        > RELEASE RATIONALE SUMMARY:
        > By default, the D-TA allows requests from a Principal's D-TA for an secp256k1
public key from a Fiduciary D-TA and then to subsequently allow the Principal to request its
corresponding private key. Whilst this may have utility on its own, the Milagro community's
intention is to extend the capability of the server over time to meet many key generation,
storage and distribution use cases. This will be achieved using the D-TA's plugin architecture,
and to this end, the initial release includes two plugins to demonstrate the D-TA's extensibility.
        > 
        > Subsequent releases will enable the D-TA to issue Type-3 pairing/identity based
secrets for "M-Pin" clients and servers ("M-Pin" is a zero-knowledge authentication protocol
in the milagro-crypto-c library that also facilitates multi-factor authentication). In parallel
with this will be a rewritten release of the Milagro MFA Authentication server (the original
authentication server was conflated with the D-TA function limiting its security efficacy).
        > 
        > The Milagro community is publishing this first release of the D-TA now to elicit
feedback from a wider community that may have interest in an open source, decentralized key
generation, storage and distribution solution. Our intention is to then to release a series
of enhanced versions culminating with a production-ready GA version.
        > 
        > Please see the README for build/test instructions and https://milagro.apache.org/docs/d-ta-overview
for a full overview and usage guide.
        > 
        > RELEASE FILES:
        > The repo has the required DISCLAIMER, NOTICE and LICENSE files in its root directory.
 All source files have the appropriate license header.  No binaries are included in this release.
 I have successfully built and ran the tests as per the instructions in the readme file on
Ubuntu 18, Ubuntu 19, Debian 10 and MacOS 10.14 Mojave.
        > 
        > Release links:
        > Source code archive: https://dist.apache.org/repos/dist/dev/incubator/milagro/apache-milagro-dta-0.1.0-incubating/apache-milagro-dta-0.1.0-incubating-src.tar.gz
        > SHA512 checksum: https://dist.apache.org/repos/dist/dev/incubator/milagro/apache-milagro-dta-0.1.0-incubating/apache-milagro-dta-0.1.0-incubating-src.tar.gz.sha512
        > PGP Signature: https://dist.apache.org/repos/dist/dev/incubator/milagro/apache-milagro-dta-0.1.0-incubating/apache-milagro-dta-0.1.0-incubating-src.tar.gz.asc
  
        > Keys: https://dist.apache.org/repos/dist/dev/incubator/milagro/KEYS
        > 
        > Please note that the project's website (https://milagro.apache.org) will be updated
with download links as soon as the release's approval has been completed and the archives
are available for public download.
        > 
        > We now kindly request that the Incubator PMC members review and vote on this
incubator release as follows:
        > 
        > [ ] +1 approve
        > [ ] +0 no opinion
        > [ ] -1 disapprove with the reason
        > 
        > Checklist for reference:
        > 
        > [ ] Download links are valid   
        > [ ] Checksums and PGP signatures are valid    
        > [ ] DISCLAIMER, LICENCE & NOTICE files are included    
        > [ ] Source code archives have correct names matching the current release.   
        > [ ] All source code files have licence headers    
        > [ ] No compiled binaries are included    
        > [ ] Library builds correctly and all tests pass (as per the instructions in the
readme file) 
        > 
        > The vote will be open for a minimum of 72 hours.  3 x +1 votes are required to
approve this release.
        > 
        > Many thanks,
        > 
        > John
        > 
        > John McCane-Whitney
        > Director of Product at Qredo Ltd
        > T: +44 7966 490687
        > Kemp House
        > 152 - 160 City Road
        > London
        > EC1V 2NX
        > https://qredo.com
        > Qredo Ltd is a limited company registered in England and Wales (registered number
7834052). This e-mail and any attachments are confidential, and are intended only for the
named addressee(s). If you are not the intended recipient you may not copy, disclose to anyone
else or otherwise use the content of this e-mail or any attachment thereto and should notify
the sender immediately and delete them from your system.
        > 
        > ---------------------------------------------------------------------
        > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
        > For additional commands, e-mail: general-help@incubator.apache.org
        > 
        
        
        ---------------------------------------------------------------------
        To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
        For additional commands, e-mail: general-help@incubator.apache.org
        
        
    
    

Mime
View raw message