Hi, +1 (binding)
IMO the release is correctly signed and the vote can continue. I checked: - signature and hashes correct - LICENSE and NOTICE correct - a couple of source files are missing headers [4][5] - yes they have "Put your copyright and license info here.” but how are those files licensed? - no unexpected binary files - can compile from source Signature check: gpg: assuming signed data in 'apache-apex-core-3.7.0-source-release.tar.gz' gpg: Signature made Sun 15 Apr 01:21:20 2018 AEST gpg: using RSA key EB4B068AE51B20BFA40FDAA779480420239E728D gpg: requesting key 79480420239E728D from hkps server hkps.pool.sks-keyservers.net gpg: key 79480420239E728D: public key "Pramod Immaneni <pra...@apache.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Pramod Immaneni <pra...@apache.org>” If the KEYS file needs updating then do that but there’s no need to hold up the vote, the KEYS file could also be placed here [1] don’t forget or remove old releases from the release area either [2]. BTW there been a change in policy re md5 hashes and they should no longer be used. [3] Assuming this vote passes just don’t svn move the md5 hash file. Thanks, Justin 1. https://dist.apache.org/repos/dist/dev/apex/ 2. https://dist.apache.org/repos/dist/release/apex/ 3. https://www.apache.org/dev/release-distribution#sigs-and-sums 4. apache-apex-core-3.7.0/apex-app-archetype/src/main/resources/archetype-resources/src/main/java/__packageInPathFormat__/Application.java 5. apache-apex-core-3.7.0/apex-app-archetype/src/main/resources/archetype-resources/src/main/java/__packageInPathFormat__/RandomNumberGenerator.java
