This is not a blocker for the release (and moreover signature files are
explicitly allowed to be updated during the release vote if needed), but
I couldn't verify signatures in a straightforward way for source packages.
One of the signatures is mine; no problem with that, and that itself is
enough to prove integrity for release approval purposes.
Patricia's one, according to my GPG, is done with a key having a short
ID of 02703386; I couldn't find the public key in the usual places, so I
couldn't verify this one.
Again, this is not a blocker issue since one key is enough, but public
keys used for signing releases are expected to be found at:
http://www.apache.org/dist/openoffice/KEYS
or (secondary resource) at
https://people.apache.org/keys/committer/
The former contains my key and another key by Patricia (short ID
A57935C5); the latter contains the same key by Patricia - it doesn't
contain mine since I never bothered uploading it again to enforce the
long IDs and I now see that someone decided to remove the keys that only
had a short ID, I'll fix it later today.
Where can I find the matching public key by Patricia? It should be added
in SVN to
https://dist.apache.org/repos/dist/release/openoffice/KEYS
which (I believe) maps to the first URL I listed. There is surely a way
to do it without a full checkout, but I didn't check details.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
