The public keys are in the KEYS file in subversion. So I think we are good to go!
Thanks, Edell. -----Original Message----- From: Alan D. Cabrera [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 16:11 To: yoko-dev@incubator.apache.org Subject: Re: [VOTE] Publish Yoko M1 release IIUC, the keys do not have to be in a web of trust so long as the public key is checked into the KEYS file in subversion. Regards, Alan On Sep 28, 2006, at 7:30 AM, Nolan, Edell wrote: > Hi, > > I imported the KEYS > > Command => gpg --verify yoko-1.0-incubating-M1-SNAPSHOT-bin.zip.asc > > And I get > > C:\temp>gpg --verify yoko-1.0-incubating-M1-SNAPSHOT-bin.zip.asc > gpg: Signature made 09/20/06 14:09:36 using RSA key ID 03FE48F6 > gpg: Good signature from "Balaji Ravi (bravi) <[EMAIL PROTECTED]>" > gpg: checking the trustdb > gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: C174 4222 AD4D 0AFA 4F9E 73D1 0879 B610 03FE > 48F6 > > Edell. > > > > -----Original Message----- > From: Mosur Ravi, Balaji > Sent: 28 September 2006 14:02 > To: yoko-dev@incubator.apache.org > Subject: RE: [VOTE] Publish Yoko M1 release > > Hi edell, > > Were you able to verify the signature? > > - Balaji > > -----Original Message----- > From: Nolan, Edell > Sent: Thursday, September 28, 2006 8:52 AM > To: yoko-dev@incubator.apache.org > Subject: RE: [VOTE] Publish Yoko M1 release > > +1 I have tested the binary and src distributions on windows XP > and all looks well. > > We should make sure the keys are correct first though. > > Cheers, Edell. > > -----Original Message----- > From: Mosur Ravi, Balaji > Sent: 28 September 2006 13:03 > To: yoko-dev@incubator.apache.org > Subject: RE: [VOTE] Publish Yoko M1 release > > Hi lars, > > The keys are not in the keyserver yet, so try to follow the steps > in: http://www.apache.org/dev/release-signing.html > > You might have to first do an import & then verify... > > gpg --import KEYS > > gpg --verify foo-1.0.tar.gz.asc foo-1.0.tar.gz > > Let me know if this works... > > - Balaji > > -----Original Message----- > From: Lars Kühne [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 28, 2006 1:00 AM > To: yoko-dev@incubator.apache.org > Subject: Re: [VOTE] Publish Yoko M1 release > > Mosur Ravi, Balaji wrote: >> Please vote to publish the Milestone 1 release distributions. Please >> take some time to download the distributions, review them and test >> them in your environment before voting. >> >> > > Is anyone able to verify the signature? I'm a beginner with PGP, so > the problem may very well be on my end. I followed the instructions on > http://httpd.apache.org/dev/verification.html > > ~/downloads> gpg yoko-1.0-incubating-M1-SNAPSHOT-bin.tar.gz.asc > gpg: Signature made Wed 20 Sep 2006 03:09:10 PM CEST using RSA key > ID 03FE48F6 > gpg: Can't check signature: public key not found > ~/downloads> gpg < $YOKO/trunk/KEYS > pub 512R/BA5A3775 2006-08-10 bravi <[EMAIL PROTECTED]> > ~/downloads> gpg yoko-1.0-incubating-M1-SNAPSHOT-bin.tar.gz.asc > gpg: Signature made Wed 20 Sep 2006 03:09:10 PM CEST using RSA key > ID 03FE48F6 > gpg: Can't check signature: public key not found > > The key used to sign the code is also not available via > pgpkeys.mit.edu (see KEYS file in trunk). > > ~/downloads> gpg --keyserver pgpkeys.mit.edu --recv-key 03FE48F6 > gpgkeys: WARNING: this is an *experimental* HKP interface! > gpgkeys: key 03FE48F6 not found on keyserver > gpg: no valid OpenPGP data found. > > > Maybe the problem is that the ID used (03FE48F6) is different from the > key id in the keys file (BA5A3775)? > > Other than that I've only found some minor flaws: > > * the example code uses a yoko BootManager. There should be a > comment in the code that this is only to minimize the required > infrastructure for the example and typically clients find their > servers in an implementation independent way like CosNaming. > * the XMLSchema section of the NOTICE file contains capitalization > errors, lowercase "apache software foundation") > > I don't think any of those should prevent a release. > > -1 until someone can verify the file signatures, +1 after that. > > /Lars > > > > > > >