incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Feinauer <>
Subject Re: [VOTE] Release Apache Milagro (incubating) Decentralized Trust Authority v0.1.0 (alpha release)
Date Thu, 19 Sep 2019 21:01:12 GMT

let me initially say, that the release locks pretty good and well prepared. But, unfortunately
I found two issues I would consider major, thus I vote

-1 (binding)

Remember, this is no VETO so this does not necessarily stop the release. But from my experience
its easier to fix things while you still are in release mode than after one. The two major
issues I see are the Headers and the failing build of dta.

I checked:
- Keys present in KEYS file
- Signatures and Hash match for all 3 artifacts
- DISCLAIMER is present, see findings below
- Building of sources 
	- works for crypto C (`make`)
	- works for crypt js (`npm install`) but `npm test` fails, see below
	- fails for dta, see below

(Minor) Findings:
- Why is the DISCLAIMER different(ly formatted) for dta than for crypto c/js ?

(Less Minor) Findings:
- Several Files do not have apache headers.  But at least "code" files like Dockerfile's and
bash scripts should for sure have some (also CMake).

In dta these are, e.g.
  25   ./.gitignore
  26   ./.travis.yml
  27   ./Dockerfile
  28   ./Dockerfile-alpine
  29   ./
  30   ./
  31   ./go.mod
  32   ./go.sum
  33   ./
  34   ./report
  35   ./
  36   ./cmd/servicetester/
  37   ./cmd/servicetester/
  38   ./cmd/servicetester/
  39   ./libs/crypto/libpqnist/CMakeLists.txt
  40   ./libs/crypto/libpqnist/CPackConfig.cmake
  41   ./libs/crypto/libpqnist/VERSION
  42   ./libs/crypto/libpqnist/
  43   ./libs/crypto/libpqnist/examples/CMakeLists.txt
  44   ./libs/crypto/libpqnist/include/CMakeLists.txt
  45   ./libs/crypto/libpqnist/src/CMakeLists.txt
  46   ./libs/crypto/libpqnist/test/smoke/CMakeLists.txt
  47   ./libs/crypto/libpqnist/testVectors/aes/CBCMMT256.rsp
  48   ./libs/documents/docs.pb.go
  49   ./libs/documents/docs.proto
  50   ./libs/documents/docs.validator.pb.go
  51   ./pkg/safeguardsecret/
  52   ./pkg/safeguardsecret/open-api.yaml

- When trying to build dta on MacOs via Docker I Get

Digest: sha256:b88f8848e9a1a4e4558ba7cfc4acc5879e1d0e7ac06401409062ad2627e6fb58
Status: Downloaded newer image for ubuntu:latest
 ---> 2ca708c1c9cc
Step 2/29 : RUN apt-get update &&  apt-get install -y --no-install-recommends    
ca-certificates     cmake     g++     gcc     git     make     libtool     automake     libssl-dev
 ---> Running in f8a17dc7ab42
Err:1 bionic InRelease
  403  Forbidden [IP: 80]
Err:2 bionic-updates InRelease
  403  Forbidden [IP: 80]
Err:3 bionic-security InRelease
  403  Forbidden [IP: 80]
Err:4 bionic-backports InRelease
  403  Forbidden [IP: 80]
Reading package lists...
E: The repository ' bionic InRelease' is not signed.
E: Failed to fetch  403  Forbidden
[IP: 80]
E: The repository ' bionic-updates InRelease' is not signed.
E: Failed to fetch  403  Forbidden
[IP: 80]
E: Failed to fetch  403
 Forbidden [IP: 80]
E: The repository ' bionic-security InRelease' is not signed.
E: Failed to fetch  403
 Forbidden [IP: 80]
E: The repository ' bionic-backports InRelease' is not signed.
The command '/bin/sh -c apt-get update &&  apt-get install -y --no-install-recommends
    ca-certificates     cmake     g++     gcc     git     make     libtool     automake  
  libssl-dev' returned a non-zero code: 100

`npm test` fails for me with the following:
1 failing

       TEST MPIN BLS461
         test MPin Kangaroo:
     AssertionError: expected 0 to equal 1111
      at Context.<anonymous> (test/test_MPIN.js:310:31)
      at processImmediate (internal/timers.js:443:21)

npm ERR! Test failed.  See above for more details.

Best and feel free to ask if something is unclear or needs discussion!

Am 19.09.19, 13:58 schrieb "Dave Fisher" <>:

    Hi -
    +1 (binding)
    Keys present
    DISCLAIMER checked - See (3)
    LICENSE and NOTICE checked
    Signature and Hash checked
    Rat Check run - See (2) below.
    Did NOT build, I’m on a macOS - See (1) below.
    (1) In subsequent releases please make sure that the instructions are to build from the
source releases and NOT the GitHub tags as these are not immutable. Also the Docker files
and build shell scripts refer to GitHub and not the source release. I understand that these
distinctions may be difficult considering CI/CD vs. Release Policy.
    I also think that the Milagro Crypto dependency should be picked from a release and not
a Github tag.
    (2) I believe License headers should be added to:
    (3) Consider use of the DISCLAIMER-WIP.
    Good to see progress here.
    > On Sep 17, 2019, at 9:02 AM, John McCane-Whitney <> wrote:
    > Hi,
    > This is a call to vote to release Apache Milagro (incubating) Decentralized Trust
Authority v0.1.0 (alpha release).
    > The Apache Milagro (incubating) community has voted to approve this release with
6 +1 votes.  The vote result thread can be found here:
    > Milagro Decentralized Trust Authority v0.1.0 (alpha release) release tag:
    > Please see the release notes at the above link for a full description and release
    > The Apache Milagro (Incubating) Decentralized Trust Authority (D-TA) is a collaborative
key management server. It has two primary functions:
    > -Issue shares of identity-based Type-3 pairing secrets for initializing zero-knowledge
proof multi-factor authentication (ZKP-MFA) networks of clients and authentication servers.
    > -Safeguards shares of generic secrets, acting independently but in conjunction with
other D-TA nodes, for the benefit of other D-TA nodes.
    > In the use case where it issues shares, the D-TA holds nothing except for its Master
Secret and acts as a distributed private key generation server. In the use case where it is
safeguarding shares of secrets, it is up to the application developer to implement back-end
application logic to hold those shares securely. Examples include using Hardware Security
Modules (HSMs) via an on-board PKCS#11 implementation to create a realm of key encryption
keys, or multi-party computation through BLS signature aggregation.
    > By default, the D-TA allows requests from a Principal's D-TA for an secp256k1 public
key from a Fiduciary D-TA and then to subsequently allow the Principal to request its corresponding
private key. Whilst this may have utility on its own, the Milagro community's intention is
to extend the capability of the server over time to meet many key generation, storage and
distribution use cases. This will be achieved using the D-TA's plugin architecture, and to
this end, the initial release includes two plugins to demonstrate the D-TA's extensibility.
    > Subsequent releases will enable the D-TA to issue Type-3 pairing/identity based secrets
for "M-Pin" clients and servers ("M-Pin" is a zero-knowledge authentication protocol in the
milagro-crypto-c library that also facilitates multi-factor authentication). In parallel with
this will be a rewritten release of the Milagro MFA Authentication server (the original authentication
server was conflated with the D-TA function limiting its security efficacy).
    > The Milagro community is publishing this first release of the D-TA now to elicit
feedback from a wider community that may have interest in an open source, decentralized key
generation, storage and distribution solution. Our intention is to then to release a series
of enhanced versions culminating with a production-ready GA version.
    > Please see the README for build/test instructions and
for a full overview and usage guide.
    > The repo has the required DISCLAIMER, NOTICE and LICENSE files in its root directory.
 All source files have the appropriate license header.  No binaries are included in this release.
 I have successfully built and ran the tests as per the instructions in the readme file on
Ubuntu 18, Ubuntu 19, Debian 10 and MacOS 10.14 Mojave.
    > Release links:
    > Source code archive:
    > SHA512 checksum:
    > PGP Signature:
    > Keys:
    > Please note that the project's website ( will be updated
with download links as soon as the release's approval has been completed and the archives
are available for public download.
    > We now kindly request that the Incubator PMC members review and vote on this incubator
release as follows:
    > [ ] +1 approve
    > [ ] +0 no opinion
    > [ ] -1 disapprove with the reason
    > Checklist for reference:
    > [ ] Download links are valid   
    > [ ] Checksums and PGP signatures are valid    
    > [ ] DISCLAIMER, LICENCE & NOTICE files are included    
    > [ ] Source code archives have correct names matching the current release.   
    > [ ] All source code files have licence headers    
    > [ ] No compiled binaries are included    
    > [ ] Library builds correctly and all tests pass (as per the instructions in the readme
    > The vote will be open for a minimum of 72 hours.  3 x +1 votes are required to approve
this release.
    > Many thanks,
    > John
    > John McCane-Whitney
    > Director of Product at Qredo Ltd
    > T: +44 7966 490687
    > Kemp House
    > 152 - 160 City Road
    > London
    > EC1V 2NX
    > Qredo Ltd is a limited company registered in England and Wales (registered number
7834052). This e-mail and any attachments are confidential, and are intended only for the
named addressee(s). If you are not the intended recipient you may not copy, disclose to anyone
else or otherwise use the content of this e-mail or any attachment thereto and should notify
the sender immediately and delete them from your system.
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail:
    > For additional commands, e-mail:
    To unsubscribe, e-mail:
    For additional commands, e-mail:

View raw message