I am going through the steps [1] to release Commons-Codec 1.3 and I am wondering at how strictly other components have been following the rules WRT signing.
In particular, in step 8 "Verify signatures.", I get the same results as for my local copy of codec 1.3 as for lang 2.0 when I do the following: # gpg --verify commons-lang-2.0.tar.gz.asc commons-lang-2.0.tar.gz gpg: Signature made Mon 01 Sep 2003 06:34:22 PM PDT using DSA key ID 61F3E6B3 gpg: Good signature from "Henri Yandell (For signing Apache distributions) " gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CEF6 F51A E081 BA36 7763 52F2 5094 C55A 61F3 E6B3 So, is this good enough even with the WARNING? Thanks, Gary [1] http://jakarta.apache.org/commons/releases/release.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
