incubator-yoko-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mosur Ravi, Balaji" <br...@iona.com>
Subject RE: [VOTE] Publish Yoko M1 release
Date Thu, 28 Sep 2006 14:42:53 GMT
Thanks edell... Lars, Can you please confirm if you can verify the signature...?

The last warning is because the key is not in the web of trust which I understand is not a
requirement for releasing from the incubator.

- Balaji

-----Original Message-----
From: Nolan, Edell 
Sent: Thursday, September 28, 2006 10:31 AM
To: yoko-dev@incubator.apache.org
Subject: RE: [VOTE] Publish Yoko M1 release

Hi,

I imported the KEYS

Command => gpg --verify yoko-1.0-incubating-M1-SNAPSHOT-bin.zip.asc

And I get 

C:\temp>gpg --verify yoko-1.0-incubating-M1-SNAPSHOT-bin.zip.asc
gpg: Signature made 09/20/06 14:09:36  using RSA key ID 03FE48F6
gpg: Good signature from "Balaji Ravi (bravi) <bravi@apache.org>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C174 4222 AD4D 0AFA 4F9E  73D1 0879 B610 03FE 48F6

Edell.



-----Original Message-----
From: Mosur Ravi, Balaji 
Sent: 28 September 2006 14:02
To: yoko-dev@incubator.apache.org
Subject: RE: [VOTE] Publish Yoko M1 release

Hi edell,

Were you able to verify the signature?

- Balaji

-----Original Message-----
From: Nolan, Edell
Sent: Thursday, September 28, 2006 8:52 AM
To: yoko-dev@incubator.apache.org
Subject: RE: [VOTE] Publish Yoko M1 release

+1 I have tested the binary and src distributions on windows XP
and all looks well.

We should make sure the keys are correct first though.

Cheers, Edell. 

-----Original Message-----
From: Mosur Ravi, Balaji
Sent: 28 September 2006 13:03
To: yoko-dev@incubator.apache.org
Subject: RE: [VOTE] Publish Yoko M1 release

Hi lars,

The keys are not in the keyserver yet, so try to follow the steps in: http://www.apache.org/dev/release-signing.html

You might have to first do an import & then verify...

gpg --import KEYS

gpg --verify foo-1.0.tar.gz.asc foo-1.0.tar.gz

Let me know if this works...

- Balaji

-----Original Message-----
From: Lars K├╝hne [mailto:lakuehne@t-online.de]
Sent: Thursday, September 28, 2006 1:00 AM
To: yoko-dev@incubator.apache.org
Subject: Re: [VOTE] Publish Yoko M1 release

Mosur Ravi, Balaji wrote:
> Please vote to publish the Milestone 1 release distributions. Please 
> take some time to download the distributions, review them and test 
> them in your environment before voting.
>
>   

Is anyone able to verify the signature? I'm a beginner with PGP, so the problem may very well
be on my end. I followed the instructions on http://httpd.apache.org/dev/verification.html

    ~/downloads> gpg yoko-1.0-incubating-M1-SNAPSHOT-bin.tar.gz.asc
    gpg: Signature made Wed 20 Sep 2006 03:09:10 PM CEST using RSA key
    ID 03FE48F6
    gpg: Can't check signature: public key not found
    ~/downloads> gpg < $YOKO/trunk/KEYS
    pub   512R/BA5A3775 2006-08-10 bravi <bravi@apache.org>
    ~/downloads> gpg yoko-1.0-incubating-M1-SNAPSHOT-bin.tar.gz.asc
    gpg: Signature made Wed 20 Sep 2006 03:09:10 PM CEST using RSA key
    ID 03FE48F6
    gpg: Can't check signature: public key not found

The key used to sign the code is also not available via pgpkeys.mit.edu (see KEYS file in
trunk).

    ~/downloads> gpg --keyserver pgpkeys.mit.edu --recv-key 03FE48F6
    gpgkeys: WARNING: this is an *experimental* HKP interface!
    gpgkeys: key 03FE48F6 not found on keyserver
    gpg: no valid OpenPGP data found.


Maybe the problem is that the ID used (03FE48F6) is different from the key id in the keys
file (BA5A3775)?

Other than that I've only found some minor flaws:

    * the example code uses a yoko BootManager. There should be a
      comment in the code that this is only to minimize the required
      infrastructure for the example and typically clients find their
      servers in an implementation independent way like CosNaming.
    * the XMLSchema section of the NOTICE file contains capitalization
      errors, lowercase "apache software foundation")

I don't think any of those should prevent a release.

-1 until someone can verify the file signatures, +1 after that.

/Lars









Mime
View raw message