commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Meikle <loo...@gmail.com>
Subject Re: [releasing] PGP keys for code signing
Date Fri, 08 May 2009 12:27:11 GMT
2009/5/6 Rahul Akolkar <rahul.akolkar@gmail.com>

> On Wed, May 6, 2009 at 10:43 AM, Craig L Russell <Craig.Russell@sun.com>
> wrote:
> > Much better!
> >
> <snip/>
> > [CraigRussell:~/Downloads] clr% gpg --verify
> > commons-chain-1.2-bin.tar.gz.asc
> > gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID
> 42196CA8
> > gpg: Good signature from "Christian Grobmeier (Apache Codesigning)
> > <grobmeier@apache.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the
> > owner.
> > Primary key fingerprint: 9D23 5338 96A9 7847 0358  5B62 86E0 2C5A 4219
> 6CA8
> >
> > I'd vote for this signature being valid to sign releases. Only incubator
> > releases right now, since it hasn't been signed by the Apache WOT. That
> can
> > be fixed at a Sign-a-Thon. ;-)
> >
> <snap/>
>
> I'd vote for Apache Commons releases signed by any key thats in the
> KEYS file (regardless of WOT status -- keysigning would be good and is
> encouraged, but isn't a blocker).


+1

Cheers,
Dave

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message