Great, another showstopper - OMG. Well why does not any tool tell me on earth that the key on my windows account is outdated/revoked ... Next time I build things on my Linux box ...
Am Di., 27. Aug. 2019 um 20:46 Uhr schrieb Aaron Coburn < aaron.cob...@gmail.com>: > Thanks so much for cutting the second release candidate. The source looks > great (no SNAPSHOT dependencies); I was able to successfully compile and > test the code. And I was able to successfully use the CDI and Microprofile > extensions in an external project. > > I'd give a +1, but there are two issues I found with the artifacts in the > distribution area. > > First, I believe the .tar.gz and .zip files should have a corresponding > sha512 checksum (there are no checksum files in > > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/ > or > > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/ > ) > > Second, I had some difficulty validating the signatures on the files > themselves. I can import the KEYS file fine: > > $ gpg --import KEYS > > But the key used to sign these artifacts doesn't seem to be contained in > that KEYS file. That is, Anatole's public key in the KEYS file has this > signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38 > A3EA FE9D 018B. I was able to find that key on a public keyserver, and it > is registered to anat...@apache.org, but it has also been revoked: > > $ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc > apache-tamaya-distribution-0.4-incubating-src.tar.gz > gpg: Signature made Mon Aug 26 18:12:12 2019 EDT > gpg: using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B > gpg: Good signature from "Anatole Tresch <anat...@apache.org>" [unknown] > gpg: WARNING: This key has been revoked by its owner! > gpg: This could mean that the signature is forged. > gpg: reason for revocation: Key is superseded > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 754A 1B93 C9D5 D553 482A 6FAE 5B38 A3EA FE9D 018B > > (That key is, in fact, older than the one listed in the KEYS file) > > Maybe Julian can advise on whether these are blockers for a release. > > Cheers, > Aaron > > On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <atsti...@gmail.com> wrote: > > > Hi, > > > > I was running the needed tasks to get the 0.4-incubating release of > Tamaya > > out. > > The artifacts available via the Apache distribution repository [1] and > > also via Apache's Nexus [2]. > > > > The tag for this release candidate is available at [3] and will be > renamed > > once the vote passed. > > Please take a look at the artifacts and vote! > > > > Please note: > > This vote is a "majority approval" with a minimum of three +1 votes (see > > [4]). > > > > ------------------------------------------------ > > [ ] +1 for community members who have reviewed the bits > > [ ] +0 > > [ ] -1 for fatal flaws that should cause these bits not to be released, > and > > why ... > > ------------------------------------------------ > > > > Thanks, > > Anatole Tresch > > > > [1] > > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/ > > > > [2] > > https://repository.apache.org/content/repositories/orgapachetamaya-1037 > > [3] > > > > > https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb > > [4] http://www.apache.org/foundation/voting.html#ReleaseVotes > > > > > > > > -- > > *Anatole Tresch* > > PPMC Member Apache Tamaya > > JCP Star Spec Lead > > *Switzerland, Europe Zurich, GMT+1* > > *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> * > > *Twitter: @atsticks, @tamayaconf* > > > -- *Anatole Tresch* PPMC Member Apache Tamaya JCP Star Spec Lead *Switzerland, Europe Zurich, GMT+1* *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> * *Twitter: @atsticks, @tamayaconf*