I am failing to be clear about something. Of course I am on the project.
And I am reviewing a release candidate. My review is from the perspective of what a third party needs to know in order to obtain and use the release candidate, were it approved as a release. Isn't that the purpose of such review? To assess what they will find and its nature with regard to Apache Project practices, etc. I do not need to be taught how to add a public key to my key ring, or how to find Jan's key on the list of Apache committer's keys. My question is as a reviewer, applying my beginner's mind as well as I can. I assume the third party is not on our dev@ list and is responding to an announcement of the availability of an incubator release. I do not want to rely on tacit knowledge or what I could figure out as a knowledgeable participant on ASF Projects. We're talking about something made available to the public. Is that understandable, now? - Dennis -----Original Message----- From: Peter Kelly [mailto:[email protected]] Sent: Friday, August 14, 2015 10:42 To: [email protected] Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1 > On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <[email protected]> > wrote: > > I think it looks good to you because you signed it and you have the public > key. > > I obviously do not have the public key of the signer. > > Furthermore, nowhere am I told that I need yours. I am reviewing this as > someone who is not on the project. My understanding is that you *are* on the project - these release candidates are intended for people who are on the project. Even if someone were not on the project, I don’t think it’s an unreasonable stretch to assume that Jan is the signer, or that at minimum a verification could be attempted using his public key. [ ... ]
