commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Tompkins <chtom...@gmail.com>
Subject Re: [VOTE] Release Commons Fileupload 1.3.3 based on RC5
Date Thu, 08 Jun 2017 16:41:03 GMT


> On Jun 8, 2017, at 11:02 AM, Matt Sicker <boards@gmail.com> wrote:
> 
> Adding the appropriate key to the KEYS file after the fact should still
> work. It would have the same cryptographic reliability as being added
> beforehand as you can't exactly imitate a key.

Yes (mine has been up there since February actually), but the signature and the time stamp
on the files didn't match me. Bad svn commit on my part initially. Doh. 

> 
>> On 8 June 2017 at 07:17, Rob Tompkins <chtompki@gmail.com> wrote:
>> 
>> 
>> 
>>>> On Jun 8, 2017, at 8:09 AM, sebb <sebbaz@gmail.com> wrote:
>>>> 
>>>> On 8 June 2017 at 01:20, Gary Gregory <garydgregory@gmail.com> wrote:
>>>> The ASC does not seem to have a public key.:
>>>> 
>>>> gpg --verify commons-fileupload-1.3.3-source-release.zip.asc
>>> 
>>> That is not the recommended way to check a sig; you also need the target
>> file
>>> 
>>> $ gpg --verify downloaded_file.asc downloaded_file
>> 
>> Indeed, but if you don't specify it looks in the current directory for the
>> file.
>> 
>>> 
>>>> gpg: assuming signed data in 'commons-fileupload-1.3.3-
>> source-release.zip'
>>> 
>>> Note that gpg is assuming where to find the data.
>>> 
>>>> gpg: Signature made 12/04/16 05:15:02 Pacific Standard Time using DSA
>> key
>>>> ID 7188601C
>>>> *gpg: Can't check signature: No public key*
>>> 
>>> However if the .asc file was not detached, gpg would not check the
>> target file.
>>> 
>>> https://www.apache.org/info/verification.html#specify_both
>>> 
>>>> 
>>>> Also, the file naming should be consistent,
>>>> https://dist.apache.org/repos/dist/dev/commons/fileupload/source/ has
>> both
>>>> "source-release" and "src". Not sure how you can end up with the
>>>> differences beyond just the file extension.
>>>> 
>>>> Gary
>>>> 
>>>> 
>>>>> On Tue, Jun 6, 2017 at 11:20 AM, Rob Tompkins <chtompki@apache.org>
>> wrote:
>>>>> 
>>>>> Hello all,
>>>>> 
>>>>> This is a [VOTE] for releasing Apache Commons Fileupload 1.3.3 (from
>> RC5).
>>>>> 
>>>>> Tag name:
>>>>>  commons-fileupload-1.3.3-RC5 (signature can be checked from git using
>>>>> 'git tag -v')
>>>>> 
>>>>> Tag URL:
>>>>>  https://git-wip-us.apache.org/repos/asf?p=commons-
>>>>> fileupload.git;a=commit;h=dd2238b1671644cfead0e87c24a8ac61b4039084
>>>>> 
>>>>> Commit ID the tag points at:
>>>>>  dd2238b1671644cfead0e87c24a8ac61b4039084
>>>>> 
>>>>> Site:
>>>>>  http://home.apache.org/~chtompki/commons-fileupload-1.3.3-RC5
>>>>> 
>>>>> Distribution files (committed at revision 19901):
>>>>>  https://dist.apache.org/repos/dist/dev/commons/fileupload/
>>>>> 
>>>>> Distribution files hashes (SHA1):
>>>>>  commons-fileupload-1.3.3-bin.tar.gz
>>>>>  (SHA1: 2f4a9672168641ff726974a3b7cc68b97d1212fa)
>>>>>  commons-fileupload-1.3.3-bin.zip
>>>>>  (SHA1: b66e2c434ddbda90dfc9e92af4775d9777524bfa)
>>>>>  commons-fileupload-1.3.3-src.tar.gz
>>>>>  (SHA1: 71294a7d737a8ced04934c222ae6dfb16e4d8d73)
>>>>>  commons-fileupload-1.3.3-src.zip
>>>>>  (SHA1: 661172a2f62b460c4b754b7a0f04d412afabde52)
>>>>> 
>>>>> These are the Maven artifacts and their hashes:
>>>>>  commons-fileupload-1.3.3-javadoc.jar
>>>>>  (SHA1: 92d2fc371379d64a822150ca3882157564dd3f99)
>>>>>  commons-fileupload-1.3.3-sources.jar
>>>>>  (SHA1: c8c7bcb851fb5af0b19e4ea845cf2fc03de6f673)
>>>>>  commons-fileupload-1.3.3-test-sources.jar
>>>>>  (SHA1: 5e0d8c621d38694e0f2960ab2899ee1d67f2b708)
>>>>>  commons-fileupload-1.3.3-tests.jar
>>>>>  (SHA1: 20510147958fc759582e6ede789ccf31d056b232)
>>>>>  commons-fileupload-1.3.3.jar
>>>>>  (SHA1: fd754c7518772453aea1d5ffc32cb5ce0ebc0e40)
>>>>>  commons-fileupload-1.3.3.pom
>>>>>  (SHA1: 97d781eafc190f4fee3abf11f9ec8076f5f7b58c)
>>>>> 
>>>>> KEYS file to check signatures:
>>>>>  http://www.apache.org/dist/commons/KEYS
>>>>> 
>>>>> Maven artifacts:
>>>>>  https://repository.apache.org/content/repositories/
>>>>> orgapachecommons-1249
>>>>> 
>>>>> Please select one of the following options[1]:
>>>>> [ ] +1 Release it.
>>>>> [ ] +0 Go ahead; I don't care.
>>>>> [ ] -0 There are a few minor glitches: ...
>>>>> [ ] -1 No, do not release it because ...
>>>>> 
>>>>> This vote will be open at least 72 hours, i.e. until
>>>>> 2017-06-09T19:00:00Z
>>>>> (this is UTC time).
>>>>> --------
>>>>> 
>>>>> Cheers,
>>>>> -Rob
>>>>> 
>>>>> [1] http://apache.org/foundation/voting.html
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>> 
>>>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>> 
>> 
> 
> 
> -- 
> Matt Sicker <boards@gmail.com>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message