-1
I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1
(5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.
It seems odd to me to add a new key and use it to sign the release
without using an already-existing key to sign the release as well. If
someone's trying to verify a source tag, there isn't a chain of
signatures with the last signer of the release signing a commit with the
addition of the next new key.
Galen
On 4/26/18 11:05 AM, Mike Stolz wrote:
This is the first release candidate for Apache Geode, version 1.6.0.
Thanks to all the community members for their contributions to this
release!
*** Please download, test and vote by Monday, April 30, 1500 hrs US
Pacific. ***
It fixes 157 issues. Release notes can be found at:
https://cwiki.apache.org/confluence/display/GEODE/
Release+Notes#ReleaseNotes-1.6.0.
Note that we are voting upon the source tags: rel/v1.6.0.RC1
https://github.com/apache/geode/tree/rel/v1.6.0.RC1
https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
Commit ID:
b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
Source and binary files:
https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
Maven staging repo:
https://repository.apache.org/content/repositories/orgapachegeode-1041
Geode's KEYS file containing PGP keys we use to sign the release:
https://github.com/apache/geode/blob/develop/KEYS
Release Signed with Fingerprint:
pub rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
876331B45A97E382D1BDFB4444820F9CABF4396F