> On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <[email protected]> > wrote: > > I think it looks good to you because you signed it and you have the public > key. > > I obviously do not have the public key of the signer. > > Furthermore, nowhere am I told that I need yours. I am reviewing this as > someone who is not on the project.
My understanding is that you *are* on the project - these release candidates are intended for people who are on the project. Even if someone were not on the project, I don’t think it’s an unreasonable stretch to assume that Jan is the signer, or that at minimum a verification could be attempted using his public key. > Somewhere, it must be specified what public key is needed and how to obtain > it from a safe place. That is what I am asking for. Jan and I have both now given you this information. > What is the information that an outsider needs in order to know who is the > release manager/signer is and how to find an authentic public key for that > committer? > > When that information is provided, I can proceed with any review of the > source zip. The name of the person posting the release candidates, as can be seen from the mailing list, is Jan Iverson. This person’s email address is [email protected], which implies that his Apache ID is jani. The ASF maintains the public keys of all committers at https://people.apache.org/keys/committer/, where each file has the name of the username. Therefore Jan’s key, and by extension the key with which the release candidate was signed, is available at https://people.apache.org/keys/committer/jani.asc. — Dr Peter M. Kelly [email protected] PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
