Re: [VOTE] Apache Geode 1.6.0 RC1

2018-05-01 Thread Dan Smith 
+1

Ran geode-release-check, looks good to me.

-Dan

On Tue, May 1, 2018 at 11:55 AM, Anthony Baker  wrote:

> Ok, thanks Galen.  AFAICT, the KEYS file being referred to is this one:
> https://dist.apache.org/repos/dist/release/geode/KEYS <
> https://dist.apache.org/repos/dist/release/geode/KEYS>.  Other Apache
> projects like Flink, Beam, Impala, or Kafka don’t version control their
> KEYS file.
>
> @PMC - we need more reviews and votes to complete this release in a timely
> manner.  Please check it out.
>
> Anthony
>
>
> > On May 1, 2018, at 11:42 AM, Galen O'Sullivan 
> wrote:
> >
> > Thanks for the clarification, Anthony. The release signing page you
> linked does say this:
> >
> > > Since the KEYS may be needed to check signatures for archived
> releases, it is important that all keys that have ever been used to sign
> releases are retained in the file. Entries should only be added (as
> described above), not removed.
> >
> > > Your public key should be exported and the result appended to the
> appropriate KEYS file(s).
> >
> > I think we should get Mike's key added to both the develop and release
> branches. I would prefer if it was present in the release tag (it could be
> confusing for someone checking release history).
> >
> > But I guess it shouldn't be too much of a problem if the key isn't in
> KEYS on the release. It won't affect the binary.
> >
> > I'll change to a +0.
> >
> > Galen
> >
> > On 5/1/18 10:15 AM, Anthony Baker wrote:
> >> Galen,
> >>
> >> Given the above information what are your thoughts?
> >>
> >> Anthony
> >>
> >>
> >>> On Apr 30, 2018, at 3:01 PM, Anthony Baker  wrote:
> >>>
> >>> Please review the ASF policy on signing releases [1].  I think these
> points are pertinent:
> >>>
> >>> - The release manager signs the release.  That provides the
> verification that the release binaries were in fact created by the release
> manager and have not been modified.  Multiple signatures are not required
> or even possible sometimes.
> >>>
> >>> - The KEYS file in git[2] is a convenience for keeping [3] up to
> date.  In fact, the KEYS file is a secondary check for a fingerprint at
> id.apache.org (see [4] for how ASF checks signatures on releases).
> >>>
> >>> To me I don’t see a strict necessity to include the KEYS file commit
> in the release tag.  It’s on the release branch and it will be merged to
> /develop.
> >>>
> >>> $.02,
> >>> Anthony
> >>>
> >>> [1] http://apache.org/dev/release-signing.html
> >>> [2] https://github.com/apache/geode/blob/develop/KEYS
> >>> [3] https://dist.apache.org/repos/dist/release/geode/KEYS
> >>> [4] https://mirror-vm.apache.org/~henkp/checker/faq.html
> >>>
>  On Apr 30, 2018, at 10:31 AM, Galen O'Sullivan 
> wrote:
> 
>  -1
> 
>  I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 (
> 5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.
> 
>  It seems odd to me to add a new key and use it to sign the release
> without using an already-existing key to sign the release as well. If
> someone's trying to verify a source tag, there isn't a chain of signatures
> with the last signer of the release signing a commit with the addition of
> the next new key.
> 
>  Galen
> >
>
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-05-01 Thread Anthony Baker 
Ok, thanks Galen.  AFAICT, the KEYS file being referred to is this one:  
https://dist.apache.org/repos/dist/release/geode/KEYS 
.  Other Apache projects 
like Flink, Beam, Impala, or Kafka don’t version control their KEYS file.

@PMC - we need more reviews and votes to complete this release in a timely 
manner.  Please check it out.

Anthony


> On May 1, 2018, at 11:42 AM, Galen O'Sullivan  wrote:
> 
> Thanks for the clarification, Anthony. The release signing page you linked 
> does say this:
> 
> > Since the KEYS may be needed to check signatures for archived releases, it 
> > is important that all keys that have ever been used to sign releases are 
> > retained in the file. Entries should only be added (as described above), 
> > not removed.
> 
> > Your public key should be exported and the result appended to the 
> > appropriate KEYS file(s).
> 
> I think we should get Mike's key added to both the develop and release 
> branches. I would prefer if it was present in the release tag (it could be 
> confusing for someone checking release history).
> 
> But I guess it shouldn't be too much of a problem if the key isn't in KEYS on 
> the release. It won't affect the binary.
> 
> I'll change to a +0.
> 
> Galen
> 
> On 5/1/18 10:15 AM, Anthony Baker wrote:
>> Galen,
>> 
>> Given the above information what are your thoughts?
>> 
>> Anthony
>> 
>> 
>>> On Apr 30, 2018, at 3:01 PM, Anthony Baker  wrote:
>>> 
>>> Please review the ASF policy on signing releases [1].  I think these points 
>>> are pertinent:
>>> 
>>> - The release manager signs the release.  That provides the verification 
>>> that the release binaries were in fact created by the release manager and 
>>> have not been modified.  Multiple signatures are not required or even 
>>> possible sometimes.
>>> 
>>> - The KEYS file in git[2] is a convenience for keeping [3] up to date.  In 
>>> fact, the KEYS file is a secondary check for a fingerprint at id.apache.org 
>>> (see [4] for how ASF checks signatures on releases).
>>> 
>>> To me I don’t see a strict necessity to include the KEYS file commit in the 
>>> release tag.  It’s on the release branch and it will be merged to /develop.
>>> 
>>> $.02,
>>> Anthony
>>> 
>>> [1] http://apache.org/dev/release-signing.html
>>> [2] https://github.com/apache/geode/blob/develop/KEYS
>>> [3] https://dist.apache.org/repos/dist/release/geode/KEYS
>>> [4] https://mirror-vm.apache.org/~henkp/checker/faq.html
>>> 
 On Apr 30, 2018, at 10:31 AM, Galen O'Sullivan  
 wrote:
 
 -1
 
 I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 
 (5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.
 
 It seems odd to me to add a new key and use it to sign the release without 
 using an already-existing key to sign the release as well. If someone's 
 trying to verify a source tag, there isn't a chain of signatures with the 
 last signer of the release signing a commit with the addition of the next 
 new key.
 
 Galen
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-05-01 Thread Galen O'Sullivan 
Thanks for the clarification, Anthony. The release signing page you 
linked does say this:


> Since the KEYS may be needed to check signatures for archived 
releases, it is important that all keys that have ever been used to sign 
releases are retained in the file. Entries should only be added (as 
described above), not removed.


> Your public key should be exported and the result appended to the 
appropriate KEYS file(s).


I think we should get Mike's key added to both the develop and release 
branches. I would prefer if it was present in the release tag (it could 
be confusing for someone checking release history).


But I guess it shouldn't be too much of a problem if the key isn't in 
KEYS on the release. It won't affect the binary.


I'll change to a +0.

Galen

On 5/1/18 10:15 AM, Anthony Baker wrote:

Galen,

Given the above information what are your thoughts?

Anthony



On Apr 30, 2018, at 3:01 PM, Anthony Baker  wrote:

Please review the ASF policy on signing releases [1].  I think these points are 
pertinent:

- The release manager signs the release.  That provides the verification that 
the release binaries were in fact created by the release manager and have not 
been modified.  Multiple signatures are not required or even possible sometimes.

- The KEYS file in git[2] is a convenience for keeping [3] up to date.  In 
fact, the KEYS file is a secondary check for a fingerprint at id.apache.org 
(see [4] for how ASF checks signatures on releases).

To me I don’t see a strict necessity to include the KEYS file commit in the 
release tag.  It’s on the release branch and it will be merged to /develop.

$.02,
Anthony

[1] http://apache.org/dev/release-signing.html
[2] https://github.com/apache/geode/blob/develop/KEYS
[3] https://dist.apache.org/repos/dist/release/geode/KEYS
[4] https://mirror-vm.apache.org/~henkp/checker/faq.html


On Apr 30, 2018, at 10:31 AM, Galen O'Sullivan  wrote:

-1

I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 
(5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.

It seems odd to me to add a new key and use it to sign the release without 
using an already-existing key to sign the release as well. If someone's trying 
to verify a source tag, there isn't a chain of signatures with the last signer 
of the release signing a commit with the addition of the next new key.

Galen

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-05-01 Thread Anthony Baker 
Galen, 

Given the above information what are your thoughts?

Anthony


> On Apr 30, 2018, at 3:01 PM, Anthony Baker  wrote:
> 
> Please review the ASF policy on signing releases [1].  I think these points 
> are pertinent:
> 
> - The release manager signs the release.  That provides the verification that 
> the release binaries were in fact created by the release manager and have not 
> been modified.  Multiple signatures are not required or even possible 
> sometimes.
> 
> - The KEYS file in git[2] is a convenience for keeping [3] up to date.  In 
> fact, the KEYS file is a secondary check for a fingerprint at id.apache.org 
> (see [4] for how ASF checks signatures on releases).
> 
> To me I don’t see a strict necessity to include the KEYS file commit in the 
> release tag.  It’s on the release branch and it will be merged to /develop.
> 
> $.02,
> Anthony
> 
> [1] http://apache.org/dev/release-signing.html
> [2] https://github.com/apache/geode/blob/develop/KEYS
> [3] https://dist.apache.org/repos/dist/release/geode/KEYS
> [4] https://mirror-vm.apache.org/~henkp/checker/faq.html
> 
>> On Apr 30, 2018, at 10:31 AM, Galen O'Sullivan  wrote:
>> 
>> -1
>> 
>> I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 
>> (5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.
>> 
>> It seems odd to me to add a new key and use it to sign the release without 
>> using an already-existing key to sign the release as well. If someone's 
>> trying to verify a source tag, there isn't a chain of signatures with the 
>> last signer of the release signing a commit with the addition of the next 
>> new key.
>> 
>> Galen
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-30 Thread Anthony Baker 
Please review the ASF policy on signing releases [1].  I think these points are 
pertinent:

- The release manager signs the release.  That provides the verification that 
the release binaries were in fact created by the release manager and have not 
been modified.  Multiple signatures are not required or even possible sometimes.

- The KEYS file in git[2] is a convenience for keeping [3] up to date.  In 
fact, the KEYS file is a secondary check for a fingerprint at id.apache.org 
(see [4] for how ASF checks signatures on releases).

To me I don’t see a strict necessity to include the KEYS file commit in the 
release tag.  It’s on the release branch and it will be merged to /develop.

$.02,
Anthony

[1] http://apache.org/dev/release-signing.html
[2] https://github.com/apache/geode/blob/develop/KEYS
[3] https://dist.apache.org/repos/dist/release/geode/KEYS
[4] https://mirror-vm.apache.org/~henkp/checker/faq.html

> On Apr 30, 2018, at 10:31 AM, Galen O'Sullivan  wrote:
> 
> -1
> 
> I don't see Mike's key in the KEYS file on either rel/v1.6.0.RC1 
> (5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5) or on develop.
> 
> It seems odd to me to add a new key and use it to sign the release without 
> using an already-existing key to sign the release as well. If someone's 
> trying to verify a source tag, there isn't a chain of signatures with the 
> last signer of the release signing a commit with the addition of the next new 
> key.
> 
> Galen

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-30 Thread Anthony Baker 
Deleted my local copy of ‘rel/v1.6.0.RC1’ and refetched.  The tag now correctly 
points to this commit:  5ce726bd7

With that change, I’ll vote +1.


Aside on voting:  for releases a -1 doesn’t automatically veto the release 
candidate [1].  It is, however, a strong signal that the community may not have 
consensus and should consider carefully before continuing forward.

Anthony

[1] https://www.apache.org/foundation/glossary.html#MajorityApproval


> On Apr 27, 2018, at 2:21 PM, Mike Stolz  wrote:
> 
> Thanks for catching that tag error Anthony.
> 
> I fixed it to have the SHA matching the build.
> 
> If you're good with this could you change your -1 to a +1 so the vote can
> continue?
> 
> On Thu, Apr 26, 2018 at 2:05 PM, Mike Stolz  wrote:
> 
>> This is the first release candidate for Apache Geode, version 1.6.0.
>> Thanks to all the community members for their contributions to this
>> release!
>> 
>> *** Please download, test and vote by Monday, April 30, 1500 hrs US
>> Pacific. ***
>> 
>> It fixes 157 issues. Release notes can be found at:
>> https://cwiki.apache.org/confluence/display/GEODE/Release+
>> Notes#ReleaseNotes-1.6.0.
>> 
>> Note that we are voting upon the source tags: rel/v1.6.0.RC1
>> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
>> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
>> 
>> Commit ID:
>> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
>> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
>> 
>> Source and binary files:
>> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
>> 
>> Maven staging repo:
>> https://repository.apache.org/content/repositories/orgapachegeode-1041
>> 
>> 
>> 
>> Geode's KEYS file containing PGP keys we use to sign the release:
>> https://github.com/apache/geode/blob/develop/KEYS
>> 
>> Release Signed with Fingerprint:
>> 
>> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
>> 
>> 876331B45A97E382D1BDFB820F9CABF4396F
>> 
>>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-27 Thread Mike Stolz 
Thanks for catching that tag error Anthony.

I fixed it to have the SHA matching the build.

If you're good with this could you change your -1 to a +1 so the vote can
continue?

On Thu, Apr 26, 2018 at 2:05 PM, Mike Stolz  wrote:

> This is the first release candidate for Apache Geode, version 1.6.0.
> Thanks to all the community members for their contributions to this
> release!
>
> *** Please download, test and vote by Monday, April 30, 1500 hrs US
> Pacific. ***
>
> It fixes 157 issues. Release notes can be found at:
> https://cwiki.apache.org/confluence/display/GEODE/Release+
> Notes#ReleaseNotes-1.6.0.
>
> Note that we are voting upon the source tags: rel/v1.6.0.RC1
> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
>
> Commit ID:
> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
>
> Source and binary files:
> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
>
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachegeode-1041
>
>
>
> Geode's KEYS file containing PGP keys we use to sign the release:
> https://github.com/apache/geode/blob/develop/KEYS
>
> Release Signed with Fingerprint:
>
> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
>
>  876331B45A97E382D1BDFB820F9CABF4396F
>
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-27 Thread Anthony Baker 
- checked signatures
- checked hashes
- build from source
- ran examples

The tag for the geode repo differs from the source and binary release archives:

~/working/apache-geode-1.6.0$ bin/gfsh version --full
Build-Date: 2018-04-23 14:04:21 -0400
Build-Id: mikestolz 0
Build-Java-Version: 1.8.0_151
Build-Platform: Mac OS X 10.13.4 x86_64
Product-Name: Apache Geode
Product-Version: 1.6.0
Source-Date: 2018-04-19 18:12:58 -0400
Source-Repository: release/1.6.0
Source-Revision: 5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5
Native version: native code unavailable
Running on: /10.118.20.97, 8 cpu(s), x86_64 Mac OS X 10.13.4 

~/code/incubator-geode (release/1.6.0)$ git tag -v rel/v1.6.0.RC1
object b4ba77f5131018d36b79608ef007dd3cbd761cd9
type commit
tag rel/v1.6.0.RC1
tagger Mike Stolz  1524691173 -0400

Release candidate 1 for 1.6.0
gpg: Signature made Wed Apr 25 14:19:33 2018 PDT
gpg:using RSA key 44820F9CABF4396F
gpg: Good signature from "Mike Stolz " [undefined]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8763 31B4 5A97 E382 D1BD  FB44 4482 0F9C ABF4 396F


Given that the delta is a change to the KEYS file, I think the simplest thing 
is to reset the tag to 5ce726bd7b4f8d2648fd011a807a1bcc624ddfa5 and update the 
VOTE thread.

-1, willing to change that if we can fix the tag.

@Mike, you might want to sign your key and upload it again to avoid the warning.

Anthony


> On Apr 26, 2018, at 11:05 AM, Mike Stolz  wrote:
> 
> This is the first release candidate for Apache Geode, version 1.6.0.
> Thanks to all the community members for their contributions to this
> release!
> 
> *** Please download, test and vote by Monday, April 30, 1500 hrs US
> Pacific. ***
> 
> It fixes 157 issues. Release notes can be found at:
> https://cwiki.apache.org/confluence/display/GEODE/
> Release+Notes#ReleaseNotes-1.6.0.
> 
> Note that we are voting upon the source tags: rel/v1.6.0.RC1
> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
> 
> Commit ID:
> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
> 
> Source and binary files:
> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
> 
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachegeode-1041
> 
> 
> 
> Geode's KEYS file containing PGP keys we use to sign the release:
> https://github.com/apache/geode/blob/develop/KEYS
> 
> Release Signed with Fingerprint:
> 
> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
> 
> 876331B45A97E382D1BDFB820F9CABF4396F

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-26 Thread Michael Stolz 
Yeah, looks like a copy and paste issue that caused the link to get wrapped
to a new line.
Sorry.

--
Mike Stolz
Principal Engineer, GemFire Product Lead
Mobile: +1-631-835-4771
Download the GemFire book here.


On Thu, Apr 26, 2018 at 5:17 PM, Diane Hardman  wrote:

> Here is the correct link to the Release notes:
> https://cwiki.apache.org/confluence/display/GEODE/
> Release+Notes#ReleaseNotes-1.6.0
>
> On Thu, Apr 26, 2018 at 2:13 PM, Diane Hardman 
> wrote:
>
> > The link to the Release notes seems to be incorrect.
> >
> >
> >
> > On Thu, Apr 26, 2018 at 11:05 AM, Mike Stolz 
> wrote:
> >
> >> This is the first release candidate for Apache Geode, version 1.6.0.
> >> Thanks to all the community members for their contributions to this
> >> release!
> >>
> >> *** Please download, test and vote by Monday, April 30, 1500 hrs US
> >> Pacific. ***
> >>
> >> It fixes 157 issues. Release notes can be found at:
> >> https://cwiki.apache.org/confluence/display/GEODE/
> >> Release+Notes#ReleaseNotes-1.6.0.
> >>
> >> Note that we are voting upon the source tags: rel/v1.6.0.RC1
> >> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
> >> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
> >>
> >> Commit ID:
> >> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
> >> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
> >>
> >> Source and binary files:
> >> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
> >>
> >> Maven staging repo:
> >> https://repository.apache.org/content/repositories/orgapachegeode-1041
> >>
> >>
> >>
> >> Geode's KEYS file containing PGP keys we use to sign the release:
> >> https://github.com/apache/geode/blob/develop/KEYS
> >>
> >> Release Signed with Fingerprint:
> >>
> >> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
> >>
> >>  876331B45A97E382D1BDFB820F9CABF4396F
> >>
> >
> >
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-26 Thread Diane Hardman 
Here is the correct link to the Release notes:
https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.6.0

On Thu, Apr 26, 2018 at 2:13 PM, Diane Hardman  wrote:

> The link to the Release notes seems to be incorrect.
>
>
>
> On Thu, Apr 26, 2018 at 11:05 AM, Mike Stolz  wrote:
>
>> This is the first release candidate for Apache Geode, version 1.6.0.
>> Thanks to all the community members for their contributions to this
>> release!
>>
>> *** Please download, test and vote by Monday, April 30, 1500 hrs US
>> Pacific. ***
>>
>> It fixes 157 issues. Release notes can be found at:
>> https://cwiki.apache.org/confluence/display/GEODE/
>> Release+Notes#ReleaseNotes-1.6.0.
>>
>> Note that we are voting upon the source tags: rel/v1.6.0.RC1
>> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
>> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
>>
>> Commit ID:
>> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
>> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
>>
>> Source and binary files:
>> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
>>
>> Maven staging repo:
>> https://repository.apache.org/content/repositories/orgapachegeode-1041
>>
>>
>>
>> Geode's KEYS file containing PGP keys we use to sign the release:
>> https://github.com/apache/geode/blob/develop/KEYS
>>
>> Release Signed with Fingerprint:
>>
>> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
>>
>>  876331B45A97E382D1BDFB820F9CABF4396F
>>
>
>

Re: [VOTE] Apache Geode 1.6.0 RC1

2018-04-26 Thread Diane Hardman 
The link to the Release notes seems to be incorrect.



On Thu, Apr 26, 2018 at 11:05 AM, Mike Stolz  wrote:

> This is the first release candidate for Apache Geode, version 1.6.0.
> Thanks to all the community members for their contributions to this
> release!
>
> *** Please download, test and vote by Monday, April 30, 1500 hrs US
> Pacific. ***
>
> It fixes 157 issues. Release notes can be found at:
> https://cwiki.apache.org/confluence/display/GEODE/
> Release+Notes#ReleaseNotes-1.6.0.
>
> Note that we are voting upon the source tags: rel/v1.6.0.RC1
> https://github.com/apache/geode/tree/rel/v1.6.0.RC1
> https://github.com/apache/geode-examples/tree/rel/v1.6.0.RC1
>
> Commit ID:
> b4ba77f5131018d36b79608ef007dd3cbd761cd9 (geode)
> 45d174a1280e539108341b286ff79938f9729bc7 (geode-examples)
>
> Source and binary files:
> https://dist.apache.org/repos/dist/dev/geode/1.6.0.RC1
>
> Maven staging repo:
> https://repository.apache.org/content/repositories/orgapachegeode-1041
>
>
>
> Geode's KEYS file containing PGP keys we use to sign the release:
> https://github.com/apache/geode/blob/develop/KEYS
>
> Release Signed with Fingerprint:
>
> pub   rsa4096 2018-04-12 [SC] [expires: 2022-04-12]
>
>  876331B45A97E382D1BDFB820F9CABF4396F
>