ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antoine Lévy-Lambert <anto...@antbuild.com>
Subject AW: verifying Ant 1.6 beta2 src signature
Date Mon, 24 Nov 2003 08:36:54 GMT
Hi Pam,

You are right, I forgot to update www.apache.org/dist/ant/KEYS when building
the beta releases of ant, although it is written in the RELEASEINSTRUCTIONS.
Sorry :(
Now it is fixed. :-)

Antoine

-----Urspr√ľngliche Nachricht-----
Von: Pam Murphy [mailto:pjmurphy@attglobal.net]
Gesendet: Samstag, 22. November 2003 22:07
An: user@ant.apache.org
Betreff: verifying Ant 1.6 beta2 src signature


I can't verify my download of Ant 1.6b2.  Downloaded the src.zip file, its
accompanying .asc file, the .md5 file, and its .asc file.  I also imported
keys from www.apache.org/dist/ant/KEYS.  The md5 sums match, but when I try
to verify the src.zip and the .md5 file, I get

gpg: Signature made 10/16/03 18:14:17 using DSA key ID 265B4C63
gpg: Can't check signature: public key not found

I didn't see 265B4C63 when I did a --list-sigs.  I also searched for it
www.apache.org/dist/httpd/KEYS with no luck.  Finally, I did gpg --keyserver
pgpkeys.mit.edu --recv-key 265B4C63 and got

gpg: no valid OpenPGP data found

I suspect that maybe that key is not part of the ant dist KEYS file because
this is only a beta.


Question 1:  Where can I get the key for 265B4C63?

Question 2:  Being a hopeless dreamer, I wonder:  why can't Ant (or any of
the other Apache/Jakarta/XML projects--I'm only picking on Ant because I use
it the most) provide a page of what the verification process should look
like *for each particular release*?  Obviously a lot of good work went into
coding and documenting Ant.  Given that many close to Ant presumably go
through the verification process themselves, it would seem to be a timesaver
as well as a useful point of reference to have a 1 page listing of what
someone trying to verify his or her Ant 1.6b2-src download would see
*exactly*.  Only a handful of steps are involved so the page could be fairly
concise.  And in this dreamworld, this step-by-step listing would be
different from the Ant 1.6b2-bin process, as well as being different from
the Ant 1.6b1, Ant 1.5.x, Ant 1.7, Commons sub-projects, Apache, Cocoon,
etc., processes, because the projects weren't all signed by the exact same
people in the exact same order at the exact same time.

Question 3:  How feasible is the dream world fantasized above?




---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message