OFBiz releases are failing verification checks

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OFBiz releases are failing verification checks

Pierre Smits-3
Hi all,

Recently the releases became available via the official repositories on
Github:

   - https://github.com/apache/ofbiz-framework/releases
   - https://github.com/apache/ofbiz-plugins/releases

I tried to verify these with the function available in the ofbiz-tools rep,
like:

../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh
ofbiz-framework-release17.12.01.zip


With following result:

skipping sha check! (sha checksum file
ofbiz-framework-release17.12.01.zip.sha512 not found)skipping
signature check! (signature file
ofbiz-framework-release17.12.01.zip.asc not found)

This is not a good sign reputation wise. With the availability of releases
on Github, and our new contribution methodology through Git and Github more
people will become aware and download it from there. We must ensure that
these files can be verified regarding authenticity.

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)

*Apache Trafodion <https://trafodion.apache.org>, Vice President*
*Apache Directory <https://directory.apache.org>, PMC Member*
Apache Incubator <https://incubator.apache.org>, committer
Apache Steve <https://steve.apache.org>, committer
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz releases are failing verification checks

Jacopo Cappellato-3
Hi Pierre,

see my comments inline:

On Wed, Mar 4, 2020 at 4:12 PM Pierre Smits <[hidden email]> wrote:

> Hi all,
>
> Recently the releases became available via the official repositories on
> Github:
>
>    - https://github.com/apache/ofbiz-framework/releases
>    - https://github.com/apache/ofbiz-plugins/releases


these are Git tags that have been created to "tag the release" similarly to
what we used to do with svn; however they are not "releases": in fact these
are two files while we have just one official release file (that combines
the two).

I tried to verify these with the function available in the ofbiz-tools rep,
> like:
>
> ../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh
> ofbiz-framework-release17.12.01.zip
>
>
That script verifies the signature and checksum but in order to work you
actually have to download the checksum and signature files (that you can
find in the public official release distribution folder [*]); the errors
you are getting just tell you that the files are not available in your
folder.
However, the "release" files that you can download from GitHub are NOT the
actual release files; they are simply generated by GitHub from the tags;
for this reasons they will not match the signature and checksum.

If this is going to cause some confusion, we can check what other ASF
projects are doing in this area; one easy (possibly temporary) solution
could be that of removing the tags so that they do not appear as
downloadable releases in GitHub.

Any ideas or suggestions?

Jacopo

[*] https://downloads.apache.org/ofbiz/



>
> With following result:
>
> skipping sha check! (sha checksum file
> ofbiz-framework-release17.12.01.zip.sha512 not found)skipping
> signature check! (signature file
> ofbiz-framework-release17.12.01.zip.asc not found)
>
> This is not a good sign reputation wise. With the availability of releases
> on Github, and our new contribution methodology through Git and Github more
> people will become aware and download it from there. We must ensure that
> these files can be verified regarding authenticity.
>
> Met vriendelijke groet,
>
> Pierre Smits
> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
> 2008 (without privileges)
>
> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
> *Apache Directory <https://directory.apache.org>, PMC Member*
> Apache Incubator <https://incubator.apache.org>, committer
> Apache Steve <https://steve.apache.org>, committer
>
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz releases are failing verification checks

Jacopo Cappellato-3
In reply to this post by Pierre Smits-3
On Wed, Mar 4, 2020 at 4:12 PM Pierre Smits <[hidden email]> wrote:

> [...]

Recently the releases became available via the official repositories on

> Github:
>
>    - https://github.com/apache/ofbiz-framework/releases
>    - https://github.com/apache/ofbiz-plugins/releases
>
> I tried to verify these with the function available in the ofbiz-tools rep,
> like:
>
> ../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh
> ofbiz-framework-release17.12.01.zip
> [...]


Some additional details about the verification process from ASF ([*]):
"You are encouraged to download the releases from our mirrors. Signatures
and checksums are only available from the official Apache Software
Foundation site.
Our download pages point you to the mirrors for releases and to the
official site for signatures and checksums."

[*] https://www.apache.org/info/verification.html

Jacopo
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz releases are failing verification checks

Pierre Smits-3
IMO, despite all the encouragements by the ASF and the project, people do
what they like. And some even may not want to have all plugins included.

Given that the project already voted favourably on the first convenience
package of the 17.12 branch (which incorporates, and is based on, the
releases in the two repos), it seems to me that you can go ahead by
creating the .asc and .sha512 files for each of the releases in the repos
and upload those together with those repo releases into
http://downloads.apache.org/ofbiz.

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)

*Apache Trafodion <https://trafodion.apache.org>, Vice President*
*Apache Directory <https://directory.apache.org>, PMC Member*
Apache Incubator <https://incubator.apache.org>, committer
Apache Steve <https://steve.apache.org>, committer


On Thu, Mar 5, 2020 at 7:57 AM Jacopo Cappellato <
[hidden email]> wrote:

> On Wed, Mar 4, 2020 at 4:12 PM Pierre Smits <[hidden email]>
> wrote:
>
> > [...]
>
> Recently the releases became available via the official repositories on
> > Github:
> >
> >    - https://github.com/apache/ofbiz-framework/releases
> >    - https://github.com/apache/ofbiz-plugins/releases
> >
> > I tried to verify these with the function available in the ofbiz-tools
> rep,
> > like:
> >
> > ../dev/asf/ofbiz/ofbiz-tools/verify-ofbiz-release.sh
> > ofbiz-framework-release17.12.01.zip
> > [...]
>
>
> Some additional details about the verification process from ASF ([*]):
> "You are encouraged to download the releases from our mirrors. Signatures
> and checksums are only available from the official Apache Software
> Foundation site.
> Our download pages point you to the mirrors for releases and to the
> official site for signatures and checksums."
>
> [*] https://www.apache.org/info/verification.html
>
> Jacopo
>
Reply | Threaded
Open this post in threaded view
|

Re: OFBiz releases are failing verification checks

Pierre Smits-3
Furthermore,

With recent https://github.com/apache/ofbiz-framework/pull/43 we don't need
to deliver a convenience package containing both the base and the
extensions anymore.

This will enable (potential) adopters to evaluate/testdrive a fully
operational OFBiz implementation in a contained environment (docker
container).

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)