stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: PPMC diligence is needed in Voting
Date Thu, 24 Oct 2013 14:22:39 GMT
On Oct 24, 2013, at 10:02 AM, Lahiru Sandaruwan <lahirus@wso2.com> wrote:

> On Thu, Oct 24, 2013 at 7:17 PM, Suresh Marru <smarru@apache.org> wrote:
> Hi All,
> 
> I do not see any discussion on the release discuss thread.
> 
> Suresh,
> 
> There is a [Discuss] thread for this release. Subject is "[Discuss] Release Apache Stratos
3.0.0 Incubating RC4.”

Lahiru, 

Yes I did check that, but as you can see from it I can only see one verification - http://markmail.org/thread/rmjavimst73yennk

Without a corresponding discuss mail for each vote, I assume one of the following might have
happened:
* I will vote because I trust Lahiru
* I verified previous RC, so probably this is also ok
* Its been too delayed, so lets get it out now
* I am always working on trunk and I know it works, so this RC is also probably ok

Rather I see a simple authoritative vote:
* I verified the following, so I am happy with these artifacts. 

Suresh

> 
> Thanks.
>  
> I have a question to the 9 PPMC votes, what all did you verify? It is a good practice
to send them to the DISCUSS thread your testing process and what you found. For this release,
there is an issue with the key trust, and the PPMC should have very well caught it if you
spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
> 
> Lahiru,
> 
> I quickly tried to verify the signatures and I see this:
> 
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <lahirus@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12  CAE9 B01D E39C 44BB C719
> 
> I am sure you will raise some eye brows on the general vote. Can you get your key signed
by existing Apache committers who are within Apache web of trust?
> 
> See  [1] for explanation and mitigation about this warning.
> 
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
> 
> 
> 
> -- 
> --
> Lahiru Sandaruwan
> Software Engineer,
> Platform Technologies,
> WSO2 Inc., http://wso2.com
> lean.enterprise.middleware
> 
> email: lahirus@wso2.com cell: (+94) 773 325 954
> blog: http://lahiruwrites.blogspot.com/
> twitter: http://twitter.com/lahirus
> linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
> 


Mime
View raw message