I was going through the reporter.apache.org tool and it's showing 195
release files in /dist/ as being signed with what is now an expired
key. They're listed here: https://checker.apache.org/projs/aries.html

Instructions for fixing are here:

The problem can be fixed in three ways :

1. remove the parent package file from /dist/,
   * If the signed package is oldish, seriously consider removing it.
   * You are required to remove releases not currently under
development ; see the release policy on when to archive releases.
   * On your download page, simply refer to the archived package.
2. or change the expiration date of the key,
3. or replace the signature file.

These are old releases, but some are still the most recent. At this
point the easiest thing would be for Holly to extend the expiration
date of the key.

Holly ... are you able to do that please - instructions linked to from
the above?

Many thanks,

Reply via email to