Apache NiFi MiNiFi 0.5.0 RC2 Release Helper Guide

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache NiFi MiNiFi 0.5.0 RC2 Release Helper Guide

Jeremy Dyer-2
Hello Apache NiFi community,

Please find the associated guidance to help those interested in
validating/verifying the release so they can vote.

# Download latest KEYS file:
  https://dist.apache.org/repos/dist/dev/nifi/KEYS

# Import keys file:
  gpg --import KEYS

# [optional] Clear out local maven artifact repository

# Pull down minifi-0.5.0 source release artifacts for review:

  wget
https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip
  wget
https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc
  wget
https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1
  wget
https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256

# Verify the signature
  gpg --verify minifi-0.5.0-source-release.zip.asc

# Verify the hashes (sha1 and sha256) match the source and what was
provided in the vote email thread
  sha1sum minifi-0.5.0-source-release.zip
  sha256sum minifi-0.5.0-source-release.zip

# Unzip minifi-0.5.0-source-release.zip

# Verify the build works including release audit tool (RAT) checks
  cd minifi-0.5.0
  mvn clean install -Pcontrib-check

# Verify the contents contain a good README, NOTICE, and LICENSE.

# Verify the git commit ID is correct

# Verify the RC was branched off the correct git commit ID


There are three convenience binaries generated as part of this process.
The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly.

For the MiNiFi assembly:

# Look at the resulting convenience binary as found in
minifi-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected


For the MiNiFi Toolkit assembly:

# Look at the resulting convenience binary as found in
minifi-toolkit/minifi-toolkit-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected


For the MiNiFi C2 assembly:

# Look at the resulting convenience binary as found in
minifi-c2/minifi-c2-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected



# Send a response to the vote thread indicating a +1, 0, -1 based on your
findings.


Thank you for your time and effort to validate the release!
Reply | Threaded
Open this post in threaded view
|

Re: Apache NiFi MiNiFi 0.5.0 RC2 Release Helper Guide

Andrew Psaltis
+1 (non-binding)

- verified keys
- verified signatures
- verified README's, NOTICE and LICENSE
- tested c2 NiFiRestConfigurationProvider with NiFi 1.6.0 and minifi from
this build, various changes to template -- bumping versions, etc.

One thing I noticed when verifying the keys, which I am not sure is an
issue is the WARNING that the key is not certified with a trusted
signature. The following is the output from the command:

gpg: assuming signed data in 'minifi-0.5.0-source-release.zip'
gpg: Signature made Fri Jun 29 00:31:10 2018 +08
gpg:                using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5
gpg:                issuer "[hidden email]"
gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <
[hidden email]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 50AA 60AD 5D58 3111 87B0  BEB5 C6E5 50DA 6B29 5AD5


On Fri, Jun 29, 2018 at 1:39 AM Jeremy Dyer <[hidden email]> wrote:

> Hello Apache NiFi community,
>
> Please find the associated guidance to help those interested in
> validating/verifying the release so they can vote.
>
> # Download latest KEYS file:
>   https://dist.apache.org/repos/dist/dev/nifi/KEYS
>
> # Import keys file:
>   gpg --import KEYS
>
> # [optional] Clear out local maven artifact repository
>
> # Pull down minifi-0.5.0 source release artifacts for review:
>
>   wget
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip
>   wget
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc
>   wget
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1
>   wget
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256
>
> # Verify the signature
>   gpg --verify minifi-0.5.0-source-release.zip.asc
>
> # Verify the hashes (sha1 and sha256) match the source and what was
> provided in the vote email thread
>   sha1sum minifi-0.5.0-source-release.zip
>   sha256sum minifi-0.5.0-source-release.zip
>
> # Unzip minifi-0.5.0-source-release.zip
>
> # Verify the build works including release audit tool (RAT) checks
>   cd minifi-0.5.0
>   mvn clean install -Pcontrib-check
>
> # Verify the contents contain a good README, NOTICE, and LICENSE.
>
> # Verify the git commit ID is correct
>
> # Verify the RC was branched off the correct git commit ID
>
>
> There are three convenience binaries generated as part of this process.
> The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly.
>
> For the MiNiFi assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
> For the MiNiFi Toolkit assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-toolkit/minifi-toolkit-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
> For the MiNiFi C2 assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-c2/minifi-c2-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
>
> # Send a response to the vote thread indicating a +1, 0, -1 based on your
> findings.
>
>
> Thank you for your time and effort to validate the release!
>
Reply | Threaded
Open this post in threaded view
|

Re: Apache NiFi MiNiFi 0.5.0 RC2 Release Helper Guide

Andy LoPresto-2
Hi Andrew,

A couple things:

* You accidentally replied to the release helper guide; I think you meant to vote on the [VOTE] thread
* the warning message you received during GPG verification simply means that you had not previously marked Jeremy’s key as “trusted” via your GPG application. The intended process is:

* Jeremy posts his public key on a key server
* You verify Jeremy’s key via a different channel (chat/in-person/voice verification) — this is where the key fingerprint is useful; he can read it over the phone and you, knowing his voice, can verify that he is using the key ostensibly published by him
* If you do not know Jeremy or cannot contact him, you can delegate that trust verification to someone else. For example, I have verified the key fingerprint with Jeremy offline, so I trust that this key is his. I have signed that public key using my private key (key ID 0x2F7DEF69) and I can publish that signature to public key servers. Now, if you trust my key, you can accept that transitive trust as well. (The servers are under stress right now but this link should show that when the server is up: https://pgp.mit.edu/pks/lookup?search=0x6B295AD5&op=index). 
* Once you have verified or trust that the key represents Jeremy, you can assign it a level of “owner trust” in your GPG application, ranging from Never -> Marginal -> Full, representing how seriously you believe this is Jeremy’s key. 
* After a trust level has been assigned, you will not get the message you did. You will get a message like the one below:

hw12203:/Users/alopresto/Workspace/scratch/release_verification/minifi-java-0.5.0 (master) alopresto
🔓 0s @ 11:09:55 $ gpg --verify -v minifi-0.5.0-source-release.zip.asc
gpg: assuming signed data in 'minifi-0.5.0-source-release.zip'
gpg: Signature made Thu Jun 28 09:31:10 2018 PDT
gpg:                using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5
gpg:                issuer "[hidden email]"
gpg: using pgp trust model
gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <[hidden email]>" [full]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jul 1, 2018, at 8:35 PM, Andrew Psaltis <[hidden email]> wrote:

+1 (non-binding)

- verified keys
- verified signatures
- verified README's, NOTICE and LICENSE
- tested c2 NiFiRestConfigurationProvider with NiFi 1.6.0 and minifi from
this build, various changes to template -- bumping versions, etc.

One thing I noticed when verifying the keys, which I am not sure is an
issue is the WARNING that the key is not certified with a trusted
signature. The following is the output from the command:

gpg: assuming signed data in 'minifi-0.5.0-source-release.zip'
gpg: Signature made Fri Jun 29 00:31:10 2018 +08
gpg:                using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5
gpg:                issuer "[hidden email]"
gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <
[hidden email]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 50AA 60AD 5D58 3111 87B0  BEB5 C6E5 50DA 6B29 5AD5


On Fri, Jun 29, 2018 at 1:39 AM Jeremy Dyer <[hidden email]> wrote:

Hello Apache NiFi community,

Please find the associated guidance to help those interested in
validating/verifying the release so they can vote.

# Download latest KEYS file:
 https://dist.apache.org/repos/dist/dev/nifi/KEYS

# Import keys file:
 gpg --import KEYS

# [optional] Clear out local maven artifact repository

# Pull down minifi-0.5.0 source release artifacts for review:

 wget

https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip
 wget

https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc
 wget

https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1
 wget

https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256

# Verify the signature
 gpg --verify minifi-0.5.0-source-release.zip.asc

# Verify the hashes (sha1 and sha256) match the source and what was
provided in the vote email thread
 sha1sum minifi-0.5.0-source-release.zip
 sha256sum minifi-0.5.0-source-release.zip

# Unzip minifi-0.5.0-source-release.zip

# Verify the build works including release audit tool (RAT) checks
 cd minifi-0.5.0
 mvn clean install -Pcontrib-check

# Verify the contents contain a good README, NOTICE, and LICENSE.

# Verify the git commit ID is correct

# Verify the RC was branched off the correct git commit ID


There are three convenience binaries generated as part of this process.
The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly.

For the MiNiFi assembly:

# Look at the resulting convenience binary as found in
minifi-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected


For the MiNiFi Toolkit assembly:

# Look at the resulting convenience binary as found in
minifi-toolkit/minifi-toolkit-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected


For the MiNiFi C2 assembly:

# Look at the resulting convenience binary as found in
minifi-c2/minifi-c2-assembly/target

# Make sure the README, NOTICE, and LICENSE are present and correct

# Run the resulting convenience binary and make sure it works as expected



# Send a response to the vote thread indicating a +1, 0, -1 based on your
findings.


Thank you for your time and effort to validate the release!



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Apache NiFi MiNiFi 0.5.0 RC2 Release Helper Guide

Andrew Psaltis
Sorry for the goof on response thread.

Andy,
Thanks for the key education, greatly appreciated.

On Tue, Jul 3, 2018 at 02:10 Andy LoPresto <[hidden email]> wrote:

> Hi Andrew,
>
> A couple things:
>
> * You accidentally replied to the release helper guide; I think you meant
> to vote on the [VOTE] thread
> * the warning message you received during GPG verification simply means
> that you had not previously marked Jeremy’s key as “trusted” via your GPG
> application. The intended process is:
>
> * Jeremy posts his public key on a key server
> * You verify Jeremy’s key via a different channel (chat/in-person/voice
> verification) — this is where the key fingerprint is useful; he can read it
> over the phone and you, knowing his voice, can verify that he is using the
> key ostensibly published by him
> * If you do not know Jeremy or cannot contact him, you can delegate that
> trust verification to someone else. For example, I have verified the key
> fingerprint with Jeremy offline, so I trust that this key is his. I have
> signed that public key using my private key (key ID 0x2F7DEF69) and I can
> publish that signature to public key servers. Now, if you trust my key, you
> can accept that transitive trust as well. (The servers are under stress
> right now but this link should show that when the server is up:
> https://pgp.mit.edu/pks/lookup?search=0x6B295AD5&op=index).
> * Once you have verified or trust that the key represents Jeremy, you can
> assign it a level of “owner trust” in your GPG application, ranging from
> Never -> Marginal -> Full, representing how seriously you believe this is
> Jeremy’s key.
> * After a trust level has been assigned, you will not get the message you
> did. You will get a message like the one below:
>
> hw12203:/Users/alopresto/Workspace/scratch/release_verification/minifi-java-0.5.0
> (master) alopresto
> 🔓 0s @ 11:09:55 $ gpg --verify -v minifi-0.5.0-source-release.zip.asc
> gpg: assuming signed data in 'minifi-0.5.0-source-release.zip'
> gpg: Signature made Thu Jun 28 09:31:10 2018 PDT
> gpg:                using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5
> gpg:                issuer "[hidden email]"
> gpg: using pgp trust model
> gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <
> [hidden email]>" [full]
> gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
>
>
> Andy LoPresto
> [hidden email]
> *[hidden email] <[hidden email]>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Jul 1, 2018, at 8:35 PM, Andrew Psaltis <[hidden email]>
> wrote:
>
> +1 (non-binding)
>
> - verified keys
> - verified signatures
> - verified README's, NOTICE and LICENSE
> - tested c2 NiFiRestConfigurationProvider with NiFi 1.6.0 and minifi from
> this build, various changes to template -- bumping versions, etc.
>
> One thing I noticed when verifying the keys, which I am not sure is an
> issue is the WARNING that the key is not certified with a trusted
> signature. The following is the output from the command:
>
> gpg: assuming signed data in 'minifi-0.5.0-source-release.zip'
> gpg: Signature made Fri Jun 29 00:31:10 2018 +08
> gpg:                using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5
> gpg:                issuer "[hidden email]"
> gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <
> [hidden email]>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 50AA 60AD 5D58 3111 87B0  BEB5 C6E5 50DA 6B29 5AD5
>
>
> On Fri, Jun 29, 2018 at 1:39 AM Jeremy Dyer <[hidden email]> wrote:
>
> Hello Apache NiFi community,
>
> Please find the associated guidance to help those interested in
> validating/verifying the release so they can vote.
>
> # Download latest KEYS file:
>  https://dist.apache.org/repos/dist/dev/nifi/KEYS
>
> # Import keys file:
>  gpg --import KEYS
>
> # [optional] Clear out local maven artifact repository
>
> # Pull down minifi-0.5.0 source release artifacts for review:
>
>  wget
>
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip
>  wget
>
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc
>  wget
>
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1
>  wget
>
>
> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256
>
> # Verify the signature
>  gpg --verify minifi-0.5.0-source-release.zip.asc
>
> # Verify the hashes (sha1 and sha256) match the source and what was
> provided in the vote email thread
>  sha1sum minifi-0.5.0-source-release.zip
>  sha256sum minifi-0.5.0-source-release.zip
>
> # Unzip minifi-0.5.0-source-release.zip
>
> # Verify the build works including release audit tool (RAT) checks
>  cd minifi-0.5.0
>  mvn clean install -Pcontrib-check
>
> # Verify the contents contain a good README, NOTICE, and LICENSE.
>
> # Verify the git commit ID is correct
>
> # Verify the RC was branched off the correct git commit ID
>
>
> There are three convenience binaries generated as part of this process.
> The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly.
>
> For the MiNiFi assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
> For the MiNiFi Toolkit assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-toolkit/minifi-toolkit-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
> For the MiNiFi C2 assembly:
>
> # Look at the resulting convenience binary as found in
> minifi-c2/minifi-c2-assembly/target
>
> # Make sure the README, NOTICE, and LICENSE are present and correct
>
> # Run the resulting convenience binary and make sure it works as expected
>
>
>
> # Send a response to the vote thread indicating a +1, 0, -1 based on your
> findings.
>
>
> Thank you for your time and effort to validate the release!
>
>
>