geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Galen O'Sullivan <gosulli...@pivotal.io>
Subject Re: [VOTE] Apache Geode 1.6.0 RC1
Date Mon, 30 Apr 2018 17:31:59 GMT
-1

I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 
(5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.

It seems odd to me to add a new key and use it to sign the release 
without using an already-existing key to sign the release as well. If 
someone's trying to verify a source tag, there isn't a chain of 
signatures with the last signer of the release signing a commit with the 
addition of the next new key.

Galen

On 4/26/18 11:05 AM, Mike Stolz wrote:
> This is the first release candidate for Apache Geode, version 1.6.0.
> Thanks to all the community members for their contributions to this
> release!
>
> *** Please download, test and vote by Monday, April 30, 1500 hrs US
> Pacific. ***
>
> It fixes 157 issues. Release notes can be found at:
> https://cwiki.apache.org/confluence/display/GEODE/
> Release+Notes#ReleaseNotes-1.6.0.
>
> Note that we are voting upon the source tags: rel/v1.6.0.RC1
> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
>
> Commit ID:
> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
>
> Source and binary files:
> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
>
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachegeode-1041
>
>
>
> Geode's KEYS file containing PGP keys we use to sign the release:
> https://github.com/apache/geode/blob/develop/KEYS
>
> Release Signed with Fingerprint:
>
> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
>
>       876331B45A97E382D1BDFB4444820F9CABF4396F
>


Mime
View raw message