openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Wed, 28 May 2008 16:37:23 GMT
Hi Wendy,

I double checked a few of the artifacts, and you're right: the  
signatures are BAD on the .jar artifacts. Interestingly, the asc  
signatures are Good on the pom files.

Henk's web site is not as alarming as I had hoped it would be. What I  
got from the page http://people.apache.org/~henkp/repo/ was that  
Patrick's signing key wasn't in the Apache web of trust, which isn't a  
huge problem. If the note had been "BAD signature" instead of "file/ 
sig inconsistency" it would have raised a redder flag.

The staging artifacts at http://people.apache.org/~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository-2/

  have the same problem: the .jar.asc signatures are bad but  
the .pom.asc signatures are good.

Patrick, do you know what happened?

Craig

On May 28, 2008, at 7:45 AM, wsmoak wrote:

>
>
> Craig L Russell wrote:
>>
>> Sounds like your info is out of date by a couple of days.
>> I signed Patrick's key a few days ago.
>>
>
> (Signed keys are a good thing, though it doesn't look like that has
> propagated yet.  Not sure how that happens.)
>
> The main issue that Henk raised [1] is inconsistent signatures--  
> the .asc
> file does not match the .jar file for those eight artifacts.  For  
> example:
>
> $ gpg --verify openjpa-jdbc-1.1.0.jar.asc openjpa-jdbc-1.1.0.jar
> gpg: Signature made Tue May 20 02:22:19 2008 UTC using DSA key ID  
> 513CA0DC
> gpg: BAD signature from "Patrick Linskey (CODE SIGNING KEY)
> <pcl@apache.org>"
>
> It usually means the file changed after it was signed.  Given that the
> release was re-done, is it possible something happened then?  (I do  
> see the
> other vote thread now that I look, thanks for the info... Google  
> didn't send
> me an alert. :/ )
>
> [1] http://people.apache.org/~henkp/repo/
>
> Thanks,
> -- 
> Wendy
> -- 
> View this message in context: http://www.nabble.com/-VOTE--Approve-OpenJPA-1.1.0-release-tp17246915p17514352.html
> Sent from the OpenJPA Developers mailing list archive at Nabble.com.
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message