Thanks so much for cutting the second release candidate. The source looks great (no SNAPSHOT dependencies); I was able to successfully compile and test the code. And I was able to successfully use the CDI and Microprofile extensions in an external project.
I'd give a +1, but there are two issues I found with the artifacts in the distribution area. First, I believe the .tar.gz and .zip files should have a corresponding sha512 checksum (there are no checksum files in https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/ or https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/ ) Second, I had some difficulty validating the signatures on the files themselves. I can import the KEYS file fine: $ gpg --import KEYS But the key used to sign these artifacts doesn't seem to be contained in that KEYS file. That is, Anatole's public key in the KEYS file has this signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38 A3EA FE9D 018B. I was able to find that key on a public keyserver, and it is registered to anat...@apache.org, but it has also been revoked: $ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc apache-tamaya-distribution-0.4-incubating-src.tar.gz gpg: Signature made Mon Aug 26 18:12:12 2019 EDT gpg: using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B gpg: Good signature from "Anatole Tresch <anat...@apache.org>" [unknown] gpg: WARNING: This key has been revoked by its owner! gpg: This could mean that the signature is forged. gpg: reason for revocation: Key is superseded gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 754A 1B93 C9D5 D553 482A 6FAE 5B38 A3EA FE9D 018B (That key is, in fact, older than the one listed in the KEYS file) Maybe Julian can advise on whether these are blockers for a release. Cheers, Aaron On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <atsti...@gmail.com> wrote: > Hi, > > I was running the needed tasks to get the 0.4-incubating release of Tamaya > out. > The artifacts available via the Apache distribution repository [1] and > also via Apache's Nexus [2]. > > The tag for this release candidate is available at [3] and will be renamed > once the vote passed. > Please take a look at the artifacts and vote! > > Please note: > This vote is a "majority approval" with a minimum of three +1 votes (see > [4]). > > ------------------------------------------------ > [ ] +1 for community members who have reviewed the bits > [ ] +0 > [ ] -1 for fatal flaws that should cause these bits not to be released, and > why ... > ------------------------------------------------ > > Thanks, > Anatole Tresch > > [1] > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/ > > [2] > https://repository.apache.org/content/repositories/orgapachetamaya-1037 > [3] > > https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb > [4] http://www.apache.org/foundation/voting.html#ReleaseVotes > > > > -- > *Anatole Tresch* > PPMC Member Apache Tamaya > JCP Star Spec Lead > *Switzerland, Europe Zurich, GMT+1* > *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> * > *Twitter: @atsticks, @tamayaconf* >
