I now also found the KEYS file. I would have expected it in trunk/KEYS rather than in the parent directory.
There are a few pros and cons for both ways. Pro trunk/KEYS would be that you then automatically version the file if you build a release. This is important if a key gets changed later (email change, security update, etc) The other benefit is that you have the KEYS bundled with your src.tar.gz so this also is cryptographically strong self signing. One cannot tackle a key because it's inside a package which got signed with exactly this key ;) But that's really only minor. There are a lot projects handling it differently. There are also projects which don't have a KEYS file at all ^^. LieGrue, strub --- On Wed, 5/26/10, Carlos Vara <[email protected]> wrote: > From: Carlos Vara <[email protected]> > Subject: Re: [DISCUSS] Apache Bean Validation 0.1-incubating Release Candidate > To: [email protected] > Date: Wednesday, May 26, 2010, 9:07 AM > Hi, > > > > 2nd: But we really also need to take care about those > nifty little > > intellectual property rules! I know this just stinks > from a technical pov, > > but it's really important. And since there have been a > few problems > > recently, there is currently high attention on such > things. > > > > You're right Mark. I didn't notice that the SPI file > problem hadn't really > been solved until after sending my last message. > > > > Usually there are good reasons if someone votes a -1 > on a release - and all > > projects I know just suspend the vote until the > vetoing member either got > > convinced to recall his veto or the problem got > resolved. > > > > I didn't know this, seems reasonable taking into account > that after a -1 > vote has been placed other votes don't really make much > sense. > > Regards, > Carlos > > --- On Wed, 5/26/10, Carlos Vara <[email protected]> > wrote: > > > > > From: Carlos Vara <[email protected]> > > > Subject: Re: [DISCUSS] Apache Bean Validation > 0.1-incubating Release > > Candidate > > > To: [email protected] > > > Date: Wednesday, May 26, 2010, 8:45 AM > > > Hi, > > > > > > - does "mvn rat:check" pass on the source > > > > > > > > > > After the problem with > > > javax.validation.spi.ValidationProvider has been > > > clarified, only bean-infos-json.ftl fails. I'm > not familiar > > > with ftl files > > > so I don't know if they should have the license. > > > > > > > > > > - can you build the source-release.zip and > svn tag > > > > > > > > > > Both build OK. > > > > > > > > > > - do all of the staged jars/zips contain the > required > > > LICENSE, NOTICE > > > > and DISCLAIMER files > > > > > > > > > > bval-parent-0.1-incubating-source-release.zip > contains all > > > the files. > > > Produced JARs when installing all have LICENSE > and NOTICE > > > files. I think > > > they don't need the DISCLAIMER one. > > > > > > > > > > - are all of the staged jars signed and the > signature > > > verifiable > > > > > > > > > > Verified signature and hashes of zip and pom > files. All > > > OK. > > > > > > > > > > - is the signing key in the project's KEYS > file and on > > > a public server > > > > > > > > > > It's on svn which is public for reading. > > > > > > > > > > - does the release pass the TCK > > > > > > > > > > Staged release passes incontainer and standalone > tests > > > here. I also checked > > > with my project, and its test suite runs fine > using this > > > version. > > > > > > So, unless "bean-infos-json.ftl" really needs the > license > > > header, +1 > > > > > > Good job these lasts days Donald! > > > > > > > > > > > >
