On 03/16/2013 08:24 AM, David Crossley wrote: > Cédric Damioli wrote: >> I've put the files at http://people.apache.org/~cdamioli/cocoon-2.1.12/ >> >> Please check the files, build and run samples, and cast your votes. > +1 from me for cocoon-2.1.12-src.tar.gz MD5 8f86915b851df0405fa52dbe249bd3da > > Thanks. > > There are some small things that can be fixed after this release. > e.g. "Apache Software License" in deps/LICENSE.txt should be "Apache License". > > Your key should get signed by someone else. > > We could follow what Subversion does. The multiple signatures > would assist with that issue. > http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing > > Also i see that rather than using a static KEYS file, > they link directly from their download page to the set of current keys. >
Actually we used that before as I describe in: > Now asc: > wget https://people.apache.org/keys/group/cocoon.asc > gpg --import cocoon.asc > gpg --verify cocoon-2.1.12-src.tar.gz.asc > ~/src/apache/cocoon-2.1.12-src.tar.gz > gpg: Signature made Thu 14 Mar 2013 03:31:26 PM CET using RSA key ID > DD478570 > gpg: Can't check signature: public key not found > > For the release we need to add your key to the people group. > gpg --import cocoon-2.1.12/KEYS > that worked fine. However the addition that more people sign the tar sounds nice and even we can combine it the min 3 +1 so at least three people should sign the release. salu2 -- Thorsten Scherler <scherler.at.gmail.com> codeBusters S.L. - web based systems <consulting, training and solutions> http://www.codebusters.es/
