Hi Chris, On Mon, Apr 16, 2012 at 6:43 AM, Mattmann, Chris A (388J) < chris.a.mattm...@jpl.nasa.gov> wrote:
> Hi Folks, > > A candidate for the Nutch 1.5 release is available at: > > http://people.apache.org/~mattmann/apache-nutch-1.5/rc1/ > I used the KEYS file stored on SVN under the 1.5 tag (as below), and got the following when verifying the above RC (stored on your p.a.o area) lewis@lewis-01:~/Desktop$ gpg --import KEYS gpg: key A7239D59: "Doug Cutting (Lucene guy) <cutt...@apache.org>" not changed gpg: key 7C491924: public key "Piotr Kosiorowski <pkosiorow...@apache.org>" imported gpg: key 0B7E6CFA: public key "Sami Siren <si...@apache.org>" imported gpg: key 57163A4D: public key "Dennis E. Kubes <ku...@apache.org>" imported gpg: key 24BCF054: public key "Chris A. Mattmann <mattm...@apache.org>" imported gpg: Total number processed: 5 gpg: imported: 4 gpg: unchanged: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u lewis@lewis-01:~/Desktop$ gpg --verify apache-nutch-1.5-bin.tar.tar.gz.asc gpg: no signed data gpg: can't hash datafile: file open error lewis@lewis-01:~/Desktop$ gpg --verify apache-nutch-1.5-bin.zip.asc gpg: Signature made Mon 16 Apr 2012 06:00:20 BST using DSA key ID B876884A gpg: Can't check signature: public key not found lewis@lewis-01:~/Desktop$ gpg --verify apache-nutch-1.5-src.tar.gz.asc gpg: Signature made Mon 16 Apr 2012 06:00:18 BST using DSA key ID B876884A gpg: Can't check signature: public key not found lewis@lewis-01:~/Desktop$ gpg --verify apache-nutch-1.5-src.zip.asc gpg: Signature made Mon 16 Apr 2012 06:00:22 BST using DSA key ID B876884A gpg: Can't check signature: public key not found lewis@lewis-01:~/Desktop$ md5sum apache-nutch-1.5-bin.tar.tar.gz.asc e32088205efd59ffc882c79add0bafae apache-nutch-1.5-bin.tar.tar.gz.asc lewis@lewis-01:~/Desktop$ md5sum apache-nutch-1.5-bin.zip.asc ff7960b8540673a86756f6b3f53ffd79 apache-nutch-1.5-bin.zip.asc lewis@lewis-01:~/Desktop$ md5sum apache-nutch-1.5-src.tar.gz.asc 9da161bcd5ec0de3f702a12e6bfbf9e6 apache-nutch-1.5-src.tar.gz.asc lewis@lewis-01:~/Desktop$ md5sum apache-nutch-1.5-src.zip.asc 6750bbc93b028776fa888f988df3a614 apache-nutch-1.5-src.zip.asc Some comments: 1) I don't think the tar should be appended twice for the apache-nutch-1.5-bin.tar.tar.gz artefact and accompanying sigs. 2) None of my other attempts to verify the other artefacts via gpg worked! 3) All attempts to verify via md5sum did not match the strings present in your p.a.o area! 4) Really really trivial, but in our NOTICE file, it stated a date of 2009. I should have picked this up a while ago when I updated the other dates in these files, this one seems to have slipped through the net. > The release candidate is a zip and tar.gz archive of the sources in: > > http://svn.apache.org/repos/asf/nutch/tags/release-1.5/ > Stuff in SVN tag looks OK apart from the stuff I mentioned above. > > And a binary build suitable for deployment. > > A staged Maven repository is available here: > > https://repository.apache.org/content/repositories/orgapachenutch-054/ > I've not got around to checking the gpg and md5sum verifications yet, as I'm waiting for someone to confirm that the above failed verifications are correct before I do so. I'm hoping that I've made a mistake somewhere. > > [X ] -1 Do not release this package because... > > Because of the above, unless I discover that I've done something wrong then I can't VOTE yes. I'm open to discussion on this, if someone can display that I've taken a wrong turn somewhere then I might change my VOTE however for the time being I need to call this one down. Thanks for spinning the RC Chris. Lewis
