OK, I imported Haisheng's key from KEYS and now it checks out. The message "no public key" was confusing - I thought it meant that the file was not signed, whereas gpg meant that it did not recognize the key.
Changing my vote to +1. Haisheng, can you please get one or two people to sign your key, so that you are in the web of trust. It does not need to happen before the release, but before we announce. The difference in LICENSE is concerning because this is a source distro. All files should match those in the source repo at that precise commit. Could this version of LICENSE be the committed one? Julian On Thu, May 21, 2020 at 12:08 PM Vladimir Sitnikov <sitnikov.vladi...@gmail.com> wrote: > > >-1 because of signature issues noted in previous email (hoping I'm > mistaken). > > I think you are confused because Haisheng uses multiple keys. > https://people.apache.org/keys/committer/ lists two keys, and > https://dist.apache.org/repos/dist/release/calcite/KEYS does include the > key that signs the release (ECA9...). > > Please double-check. > > >* LICENSE file in the source distro has a few extra lines compared to > the one in git > > I see lots of people list the difference. What do you expect? > If the difference is ok, then why list it? > If the difference is not ok, then where is the reasoning? > > Vladimir
