Re: [VOTE] Approve OpenJPA 1.1.0 release

Wed, 28 May 2008 09:38:05 -0700 

Hi Wendy,
I double checked a few of the artifacts, and you're right: the signatures are BAD on the .jar artifacts. Interestingly, the asc signatures are Good on the pom files. 


Henk's web site is not as alarming as I had hoped it would be. What I  
got from the page http://people.apache.org/~henkp/repo/ was that  
Patrick's signing key wasn't in the Apache web of trust, which isn't a  
huge problem. If the note had been "BAD signature" instead of "file/ 
sig inconsistency" it would have raised a redder flag.



The staging artifacts at http://people.apache.org/~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository-2/ 
 have the same problem: the .jar.asc signatures are bad but  
the .pom.asc signatures are good.


Patrick, do you know what happened?

Craig

On May 28, 2008, at 7:45 AM, wsmoak wrote:




Craig L Russell wrote:


Sounds like your info is out of date by a couple of days.
I signed Patrick's key a few days ago.



(Signed keys are a good thing, though it doesn't look like that has
propagated yet.  Not sure how that happens.)


The main issue that Henk raised [1] is inconsistent signatures--  
the .asc
file does not match the .jar file for those eight artifacts.  For  
example:


$ gpg --verify openjpa-jdbc-1.1.0.jar.asc openjpa-jdbc-1.1.0.jar

gpg: Signature made Tue May 20 02:22:19 2008 UTC using DSA key ID  
513CA0DC

gpg: BAD signature from "Patrick Linskey (CODE SIGNING KEY)
<[EMAIL PROTECTED]>"

It usually means the file changed after it was signed.  Given that the

release was re-done, is it possible something happened then?  (I do  
see the
other vote thread now that I look, thanks for the info... Google  
didn't send

me an alert. :/ )

[1] http://people.apache.org/~henkp/repo/

Thanks,
--
Wendy
--
View this message in context: 
http://www.nabble.com/-VOTE--Approve-OpenJPA-1.1.0-release-tp17246915p17514352.html
Sent from the OpenJPA Developers mailing list archive at Nabble.com.



Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!




Attachment:
smime.p7s

Description: S/MIME cryptographic signature























					Reply via email to