oodt-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Barber <tom.bar...@meteorite.bi>
Subject Re: [VOTE] Apache OODT 1.1 Release Candidate #2
Date Mon, 24 Jul 2017 12:10:11 GMT
Good catch Sean:

bugg@tom-laptop2:~$ gpg  --verify apache-oodt-1.1-src.zip.asc
gpg: assuming signed data in `apache-oodt-1.1-src.zip'
gpg: Signature made Wed 19 Jul 2017 19:57:50 BST using RSA key ID 0C1E654B
gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) <
mattmann@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: F434 C970 B95A 6FCA 6FB9  0C45 4EAA F8B6 0C1E 654B
bugg@tom-laptop2:~$

The key works, but I think the KEYS file needs to be updated in the SVN
repo per: https://www.apache.org/dev/release-signing.html#keys-policy

For now I'm gonna say -1 unless updating KEYS isn't required.

Tom




On Mon, Jul 24, 2017 at 5:22 AM, Chris Mattmann <mattmann@apache.org> wrote:

> I updated it in id.apache.org, which autogenerates [1], which should be
> the
> canonical source for our KEYS file. Give it a check in ~1 hour or so
> should be
> all good.
>
> Cheers,
> Chris
>
>
>
> [1] https://people.apache.org/keys/group/oodt.asc
>
>
>
> On 7/23/17, 5:33 PM, "Sean Kelly" <kelly@apache.org> wrote:
>
>     That did the trick.
>
>     I'll be +1 if you also update the KEYS file.
>
>     Transcript:
>
>     fatalii 298 % date -u
>     Mon Jul 24 00:32:49 UTC 2017
>     fatalii 299 % gpg --verify apache-oodt-1.1-src.zip.asc
>     gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA key ID
> 0C1E654B
>     gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016)
>     <mattmann@apache.org>"
>     gpg: WARNING: This key is not certified with a trusted signature!
>     gpg:          There is no indication that the signature belongs to the
>     owner.
>     Primary key fingerprint: F434 C970 B95A 6FCA 6FB9  0C45 4EAA F8B6 0C1E
> 654B
>
>
>     --k
>
>
>     Chris Mattmann wrote:
>     > Hey Sean I think I have a new key on my Mac – can you check? I just
> submitted the new
>     > key to MIT keyserver, can you re-verify and see if that fixes it?
>     >
>     > Cheers,
>     > Chris
>     >
>     >
>     >
>     >
>     > On 7/23/17, 5:06 PM, "Sean Kelly"<kelly@apache.org>  wrote:
>     >
>     >      Hi folks:
>     >
>     >      I realize it's already 72 hours and we have the requisite 3 +1
> votes,
>     >      but I'm definitely in the -1 camp if this release was signed
> with the
>     >      wrong key.
>     >
>     >      I hope it's just user error on my end.
>     >
>     >      Take care
>     >      --k
>     >
>     >      >  *From:* Sean Kelly<kelly@apache.org>
>     >      >  *Date:* 2017-07-22 at 12.54 p
>     >      >  *To:* dev@oodt.apache.org
>     >      >  *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2
>     >      >  Did anyone check the signature?
>     >      >
>     >      >  I'm getting an unknown RSA key 0C1E654B:
>     >      >
>     >      >  fatalii 278 % date -u
>     >      >  Sat Jul 22 17:53:42 UTC 2017
>     >      >  fatalii 279 % gpg --verify apache-oodt-1.1-src.zip.asc
>     >      >  gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA
> key ID 0C1E654B
>     >      >  gpg: Can't check signature: No public key
>     >      >
>     >      >  --k
>     >      >
>     >      >  *From:* Chris Mattmann<mattmann@apache.org>
>     >      >  *Date:* 2017-07-19 at 2.01 p
>     >      >  *To:* dev@oodt.apache.org
>     >      >  *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2
>     >      >  Hi Folks,
>     >      >
>     >      >  I have posted a 2nd release candidate for the Apache OODT
> 1.1 release. The
>     >      >  source code is at:
>     >      >
>     >      >  https://dist.apache.org/repos/dist/dev/oodt/
>     >      >
>     >      >  For more detailed information, see the included CHANGES.txt
> file for details on
>     >      >  release contents and latest changes. The release was made
> using the OODT
>     >      >  release process, documented on the Wiki here:
>     >      >
>     >      >  https://cwiki.apache.org/confluence/display/OODT/
> Release+Process
>     >      >
>     >      >  The release was made from the OODT 1.1 tag at:
>     >      >
>     >      >  https://github.com/apache/oodt/tree/1.1/
>     >      >
>     >      >  A staged Maven repository is available at:
>     >      >
>     >      >  https://repository.apache.org/content/repositories/
> orgapacheoodt-1013/
>     >      >
>     >      >  Please vote on releasing these packages as Apache OODT 1.1.
> The vote is
>     >      >  open for at least the next 72 hours.
>     >      >
>     >      >  Only votes from OODT PMC are binding, but folks are welcome
> to check the
>     >      >  release candidate and voice their approval or disapproval.
> The vote passes
>     >      >  if at least three binding +1 votes are cast.
>     >      >
>     >      >  [ ] +1 Release the packages as Apache OODT 1.1
>     >      >
>     >      >  [ ] -1 Do not release the packages because...
>     >      >
>     >      >  Thanks!
>     >      >
>     >      >  Chris Mattmann
>     >      >
>     >      >  P.S. Here is my +1.
>     >      >
>     >      >
>     >      >
>     >
>     >
>     >
>     >
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message