tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [VOTE] Release Apache Tomcat 7.0.22
Date Thu, 29 Sep 2011 16:17:26 GMT
Mark,

On 9/29/2011 8:09 AM, Mark Thomas wrote:
> On 28/09/2011 14:43, Christopher Schultz wrote:
>> Mark,
> 
>> On 9/27/2011 5:36 PM, Mark Thomas wrote:
>>> The proposed Apache Tomcat 7.0.22 release is now available for
>>> voting.
>>>
>>> It can be obtained from: 
>>> http://people.apache.org/~markt/dev/tomcat-7/v7.0.22/ The svn tag
>>> is: 
>>> http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_22/
>>>
>>>
>>>
> The proposed 7.0.21 release is:
>>>
>>> [ ] Broken - do not release [ ] Beta   - go ahead and release as
>>> 7.0.22 Beta [X] Stable - go ahead and release as 7.0.22 Stable
> 
>> + MD5 sums match. - GPG verifies with a key that Mark appears to
>> use for nothing else, no key signers :(
> 
> Huh?
> 
> $ gpg --verify catalina-jmx-remote.jar.asc catalina-jmx-remote.jar
> gpg: Signature made Tue 27 Sep 16:47:07 2011 EDT using RSA key ID 2F6059E7
> gpg: Good signature from "Mark E D Thomas <markt@apache.org>"

Running --verify wasn't the problem (it verifies). I was talking about
other people signing your GPG key.

It was also distinct from the other key I had for you (0x33C60243) so I
wasn't sure why there were two. Some ASF folks have two, one clearly
marked (CODE SIGNING KEY)... it just appears you haven't done the same.

Weird... I got no signers when I first obtained your key. Updating the
key shows 28 signatures so maybe I was on crack at the time. Or now.

> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x10C01C5A2F6059E7
> 
> That key is very firmly in the ASF web of trust.
> 
> It is also in the KEYS file.

Yup, all is well.

-chris


Mime
View raw message