Link to KEYS file on our download page

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Link to KEYS file on our download page

Julian Foad-5
Hello, devs. Apparently our handling of the KEYS file needs to change: see below.

Is anybody willing to handle this?

- Julian


----- Original message -----
From: [hidden email]
Subject: Returned post for [hidden email]

Sorry, but the download page is missing a required link to the KEYS file.
The URL must be of the form: https://www.apache.org/dist/<project>/KEYS

Links to http://people.apache.org/ are not acceptable; see the note here:
https://people.apache.org/keys/

Please resubmit the announce email when this has been corrected.
Thanks,

Sebb

I'm happy to announce the release of Apache Subversion 1.12.0-rc1.
Please choose the mirror closest to you by visiting:

    https://subversion.apache.org/download.cgi#pre-releases

SHA-512 checksums are available at:

    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.tar.bz2.sha512
    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.tar.gz.sha512
    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.zip.sha512

PGP Signatures are available at:

    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.tar.bz2.asc
    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.tar.gz.asc
    https://www.apache.org/dist/subversion/subversion-1.12.0-rc1.zip.asc

For this release, the following people have provided PGP signatures:

   Julian Foad [4096R/1FB064B84EECC493] with fingerprint:
    6011 63CF 9D49 9FD7 18CF  582D 1FB0 64B8 4EEC C493
   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
   Stefan Fuhrmann [4096R/99EC741B57921ACC] with fingerprint:
    056F 8016 D9B8 7B1B DE41  7467 99EC 741B 5792 1ACC

This is a pre-release for what will eventually become version 1.12.0 of the
Apache Subversion open source version control system.  It may contain known
issues, a complete list of 1.12.0-blocking issues can be found
here:

    https://issues.apache.org/jira/issues/?jql=project%20%3D%20SVN%20AND%20resolution%20%3D%20Unresolved%20AND%20fixVersion%20%3D%201.12.0%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC

A pre-release means the Subversion developers feel that this release
is ready for widespread testing by the community.  There are known issues
(and unknown ones!), so please use it at your own risk, though we do
encourage people to test this release thoroughly.  Of particular note, please
remember that persistent data, such as the working copy or repository
formats may change before the final release, and there may not be an
upgrade path from the pre-releases to the final.

As a note to operating system distro packagers: while we wish to have this
release candidate widely tested, we do not feel that it is ready for packaging
and providing to end-users through a distro package system.  Packaging a
release candidate poses many problems, the biggest being that our policy lets
us break compatibility between the release candidate and the final release, if
we find something serious enough.  Having many users depending on a release
candidate through their distro would cause no end of pain and frustration that
we do not want to have to deal with.  However, if your distro has a branch that
is clearly labeled as containing experimental and often broken software, and
explicitly destined to consenting developers and integrators only, then we're
okay with packaging the release candidate there.  Just don't let it near the
end users please.


Release notes for the 1.12.x release series may be found at:

    https://subversion.apache.org/docs/release-notes/1.12.html

You can find the list of changes between 1.12.0-rc1 and earlier versions at:

    https://svn.apache.org/repos/asf/subversion/tags/1.12.0-rc1/CHANGES

Questions, comments, and bug reports to [hidden email].

Thanks,
- The Subversion Team

--
To unsubscribe, please see:

    https://subversion.apache.org/mailing-lists.html#unsubscribing

Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Daniel Shahaf-2
Julian Foad wrote on Tue, 12 Mar 2019 16:34 +00:00:
> Hello, devs. Apparently our handling of the KEYS file needs to change:
> see below.
>
> Is anybody willing to handle this?

I replied on dev@whimsical arguing that an ASF-wide mechanism should be
put in place for automatically generating KEYS files meeting the
requirements stated on the referenced page and suggesting an implementation.

In the meantime, if those alleged requirements are actually Foundation
policy then we should manually copy /keys/group/subversion.asc to
/dist/release/KEYS.

Cheers,

Daniel

> - Julian
>
>
> ----- Original message -----
> From: [hidden email]
> Subject: Returned post for [hidden email]
>
> Sorry, but the download page is missing a required link to the KEYS file.
> The URL must be of the form: https://www.apache.org/dist/<project>/KEYS
>
> Links to http://people.apache.org/ are not acceptable; see the note here:
> https://people.apache.org/keys/
>
> Please resubmit the announce email when this has been corrected.
> Thanks,
>
> Sebb
>
> Attachments:
> * Email.eml
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Julian Foad-5
Daniel Shahaf wrote:
> I replied on dev@whimsical arguing that an ASF-wide mechanism should be
> put in place for automatically generating KEYS files meeting the
> requirements stated on the referenced page and suggesting an implementation.

Thanks! Sounds good. For anyone wanting to read or follow, that reply is at:
https://lists.apache.org/thread.html/44164aa23523861a8f5b516de791a15f10846bc2aec8620732c481c8@%3Cdev.whimsical.apache.org%3E

> In the meantime, if those alleged requirements are actually Foundation
> policy then we should manually copy /keys/group/subversion.asc to
> /dist/release/KEYS.

Let's see if we can get traction on your proposal.

--
- Julian
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Julian Foad-5
Julian Foad wrote on 2019-03-13:

> Daniel Shahaf wrote:
>> I replied on dev@whimsical arguing that an ASF-wide mechanism should be
>> put in place for automatically generating KEYS files meeting the
>> requirements stated on the referenced page and suggesting an implementation.
>
> Thanks! Sounds good. For anyone wanting to read or follow, that reply is at:
> https://lists.apache.org/thread.html/44164aa23523861a8f5b516de791a15f10846bc2aec8620732c481c8@%3Cdev.whimsical.apache.org%3E
>
>> In the meantime, if those alleged requirements are actually Foundation
>> policy then we should manually copy /keys/group/subversion.asc to
>> /dist/release/KEYS.
>
> Let's see if we can get traction on your proposal.

Nothing happened there.

I have now manually added a copy
of https://people.apache.org/keys/group/subversion.asc
to https://www.apache.org/dist/subversion/KEYS
via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
and updated our download page to point to it (r1867780).

- Julian

Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Daniel Shahaf-2
Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00:
> Nothing happened there.
>
> I have now manually added a copy
> of https://people.apache.org/keys/group/subversion.asc
> to https://www.apache.org/dist/subversion/KEYS
> via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> and updated our download page to point to it (r1867780).

Thanks.

However, I still wonder why we shouldn't have this command run automatically —
.
    curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS
.
— and be done with it for good.  It could be run from release.py, for example.
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Nathan Hartman
In reply to this post by Julian Foad-5
Nathan Hartman wrote:
> The ASF committer keys list (https://people.apache.org/keys/committer/)
> is showing my key as "key not found." Not really sure what to do about
> that.

I checked again and my key is found now. :-)

> Also, some ASF help page (that I can't seem to locate now) said I need
> to add my key to a KEYS file. Not sure where that is.

Well this answers that question!

If there's anything else I need to do, please let me know.
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Daniel Shahaf-2
In reply to this post by Daniel Shahaf-2
Daniel Shahaf wrote on Mon, Sep 30, 2019 at 17:00:23 +0000:

> Julian Foad wrote on Mon, 30 Sep 2019 16:34 +00:00:
> > Nothing happened there.
> >
> > I have now manually added a copy
> > of https://people.apache.org/keys/group/subversion.asc
> > to https://www.apache.org/dist/subversion/KEYS
> > via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> > and updated our download page to point to it (r1867780).
>
> Thanks.
>
> However, I still wonder why we shouldn't have this command run automatically —
> .
>     curl -sSf https://people.apache.org/keys/group/subversion.asc | svnmucc -U https://dist.apache.org/repos/dist/ put /dev/stdin dev/subversion/subversion-1.13.0-rc1.KEYS
> .
> — and be done with it for good.  It could be run from release.py, for example.

I think the following should do it, though we may want to ask Infra to add
a «*.KEYS» pattern to their rsyncd.conf exclude= line, to prevent the *.KEYS
files from being mirrored.  (That's already true for *.asc files.)

[[[
release.py: Automatically add to dist/ a current KEYS file with each release.

In particular, this means versioned KEYS files will be archived to
archive.a.o/dist/, and will continue to contain keys after those have
been removed from a committer's id.a.o profile.

* tools/dist/release.py
  (download_file): Make checksum verification opt-outable.
  (roll_tarballs): Download the KEYS file to the target directory.
    Rely on TLS for authenticity and integrity of the downloaded
    file (as we already do for authenticity and integrity of the subsequent
    commit operation).

* tools/dist/templates/download.ezt,
* tools/dist/templates/rc-release-ann.ezt,
* tools/dist/templates/stable-release-ann.ezt:
    Link to the per-release KEYS file.
]]]

[[[
Index: tools/dist/release.py
===================================================================
--- tools/dist/release.py (revision 1867888)
+++ tools/dist/release.py (working copy)
@@ -294,7 +294,14 @@ def run_script(verbose, script, hide_stderr=False)
     for l in script.split('\n'):
         run_command(l.split(), verbose, hide_stderr)
 
-def download_file(url, target, checksum):
+def download_file(url, target, checksum):
+    """Download the file at URL to the local path TARGET.
+    If CHECKSUM is a string, verify the checksum of the downloaded
+    file and raise RuntimeError if it does not match.  If CHECKSUM
+    is None, do not verify the downloaded file.
+    """
+    assert checksum is None or isinstance(checksum, str)
+
     response = urllib2.urlopen(url)
     target_file = open(target, 'w+')
     target_file.write(response.read())
@@ -303,7 +310,7 @@ def run_script(verbose, script, hide_stderr=False)
     m.update(target_file.read())
     target_file.close()
     checksum2 = m.hexdigest()
-    if checksum != checksum2:
+    if checksum is not None and checksum != checksum2:
         raise RuntimeError("Checksum mismatch for '%s': "\
                            "downloaded: '%s'; expected: '%s'" % \
                            (target, checksum, checksum2))
@@ -966,7 +973,12 @@ def roll_tarballs(args):
         shutil.copy(os.path.join(get_workdir(args.base_dir),
                                  'subversion', 'include', 'svn_version.h'),
                     os.path.join(get_target(args),
-                                 'svn_version.h.dist-%s' % str(args.version)))
+                                 'svn_version.h.dist-%s'
+                                   % (str(args.version),)))
+        download_file(KEYS,
+                      os.path.join(get_target(args),
+                                   'subversion-%s.KEYS' % (str(args.version),)),
+                      None)
 
     # And we're done!
 
Index: tools/dist/templates/download.ezt
===================================================================
--- tools/dist/templates/download.ezt (revision 1867888)
+++ tools/dist/templates/download.ezt (working copy)
@@ -4,10 +4,12 @@
   <th>File</th>
   <th>Checksum (SHA512)</th>
   <th>Signatures</th>
+  <th>PGP Public Keys</th>
 </tr>
 [for fileinfo]<tr>
   <td><a href="[[]preferred]subversion/[fileinfo.filename]">[fileinfo.filename]</a></td>
   <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].sha512">SHA-512</a>]</td>
-  <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP</a>]</td>
+  <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP signatures</a>]</td>
+  <td>[<a href="https://www.apache.org/dist/subversion/subversion-[version].KEYS">PGP keyring</a>]</td>
 </tr>[end]
 </table>
Index: tools/dist/templates/rc-release-ann.ezt
===================================================================
--- tools/dist/templates/rc-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/rc-release-ann.ezt (working copy)
@@ -23,6 +23,10 @@ PGP Signatures are available at:
 For this release, the following people have provided PGP signatures:
 
 [siginfo]
+These public keys are available at:
+
+    https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
 This is a pre-release for what will eventually become version [major-minor-patch] of the
 Apache Subversion open source version control system.  It may contain known
 issues, a complete list of [major-minor-patch]-blocking issues can be found
Index: tools/dist/templates/stable-release-ann.ezt
===================================================================
--- tools/dist/templates/stable-release-ann.ezt (revision 1867888)
+++ tools/dist/templates/stable-release-ann.ezt (working copy)
@@ -34,6 +34,10 @@ PGP Signatures are available at:
 For this release, the following people have provided PGP signatures:
 
 [siginfo]
+These public keys are available at:
+
+    https://www.apache.org/dist/subversion/subversion-[version].KEYS
+
 Release notes for the [major-minor].x release series may be found at:
 
     https://subversion.apache.org/docs/release-notes/[major-minor].html
]]]

Cheers,

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Daniel Shahaf-2
In reply to this post by Nathan Hartman
Nathan Hartman wrote on Wed, 02 Oct 2019 15:41 +00:00:
> Nathan Hartman wrote:
> > The ASF committer keys list (https://people.apache.org/keys/committer/)
> > is showing my key as "key not found." Not really sure what to do about
> > that.
>
> I checked again and my key is found now. :-)

I can retrieve it too (two successes out of two attempts).

> > Also, some ASF help page (that I can't seem to locate now) said I need
> > to add my key to a KEYS file. Not sure where that is.
>
> Well this answers that question!
>
> If there's anything else I need to do, please let me know.

For bonus points, get your key cross-signed and linked to the web of trust :)

Cheers,

Daniel
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Nathan Hartman
On Wed, Oct 2, 2019 at 1:32 PM Daniel Shahaf <[hidden email]> wrote:
> Nathan Hartman wrote on Wed, 02 Oct 2019 15:41 +00:00:
> > If there's anything else I need to do, please let me know.
>
> For bonus points, get your key cross-signed and linked to the web of trust :)

Agreed. I am keeping an eye out for key signing opportunities...
Reply | Threaded
Open this post in threaded view
|

Re: Link to KEYS file on our download page

Julian Foad-5
In reply to this post by Julian Foad-5
Julian Foad wrote on 2019-09-30:

> Julian Foad wrote on 2019-03-13:
>> Daniel Shahaf wrote:
>>> I replied on dev@whimsical arguing that an ASF-wide mechanism should be
>>> put in place for automatically generating KEYS files meeting the
>>> requirements stated on the referenced page and suggesting an
>>> implementation.
>>
>> Thanks! Sounds good. For anyone wanting to read or follow, that reply
>> is at:
>> https://lists.apache.org/thread.html/44164aa23523861a8f5b516de791a15f10846bc2aec8620732c481c8@%3Cdev.whimsical.apache.org%3E 
>>
>>> In the meantime, if those alleged requirements are actually Foundation
>>> policy then we should manually copy /keys/group/subversion.asc to
>>> /dist/release/KEYS.
>>
>> Let's see if we can get traction on your proposal.
>
> Nothing happened there.
>
> I have now manually added a copy
> of https://people.apache.org/keys/group/subversion.asc
> to https://www.apache.org/dist/subversion/KEYS
> via https://dist.apache.org/repos/dist/release/subversion/KEYS (r36130)
> and updated our download page to point to it (r1867780).


Daniel has now committed http://svn.apache.org/r1869135 ,
"Automatically add to dist/ a current KEYS file with each release."

I am putting this in place just in time for 1.13.0.

The 1.13.0 downloads table on
http://subversion-staging.apache.org/download.cgi#recommended-release
now includes links to
https://www.apache.org/dist/subversion/subversion-1.13.0.KEYS

- Julian