On Wed, Jun 3, 2015 at 3:49 PM, jan i <j...@apache.org> wrote: > Hi > > Juergen Schmidt was the release manager for the latest AOO releases so the > key is valid. > > If you use our official mirror through www.openoffice.org you should see > that the > key is legal. > > but thanks for being observant and reporting your findings. > > rgds > jan i > v.p. apache openoffice > > > On Wednesday, June 3, 2015, tensizes <tensi...@gmail.com> wrote: > > > Hi, > > > > This is a security heads-up. After downloading the latest release of > > Apache Open Office and checking the key, I found it was signed by someone > > not on your published KEYS file list of contributors, someone named > Jeurgen > > Schmidt > > > > His/her pgp key id is 51B5FDE8 > > >
His key is listed here as well: http://openoffice.apache.org/security -Rob > > The release file is from mirror http://mirrors.gigenet.com > > Filename: apache-openoffice-4.1.1-r1617669-src.tar.bz2 > > > > Either Jeurgen Schmidt has been left off of your list, or they have been > > signing sources without permission. > > > > Thanks for your development efforts, > > tensizes > > > > > -- > Sent from My iPad, sorry for any misspellings. >