Re: [VOTE] Apache Directory Studio 2.0.0.v20210717-M17 release

Wed, 21 Jul 2021 17:15:09 -0700 



On 21/07/2021 18:47, Stefan Seelmann wrote:

On 7/18/21 11:43 PM, Emmanuel Lécharny wrote:

My +1.

A few remarks:
- your GPG keys does not seem to be trusted (this is when I use the asc
file to check the signature). I typically get:

$ gpg --verify
~/Downloads/org.apache.directory.studio.parent-2.0.0.v20210717-M17-source-release.zip.asc
org.apache.directory.studio.parent-2.0.0.v20210717-M17-source-release.zip
gpg: Signature made Sat Jul 17 19:59:37 2021 CEST
gpg:                using RSA key 63CE676698B26D3A36D77527223BD93328686142
gpg: Good signature from "Stefan Seelmann (CODE SIGNING KEY)
<[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 63CE 6766 98B2 6D3A 36D7  7527 223B D933 2868 6142

Not sure that is a big deal.


I never attended a key signing party with that key, so it's not in the
web-of-trust. And you probably also didn't mark my key as trusted (which
you shouldn't do). So based on the KEYS file that you imported only the
valid signature can be verified. I think it's plain normal and conform
to https://infra.apache.org/release-signing.html.


- The packages are signed using asc, SHA1 and MD5. The two last are
deprecated and should be replaced by SHA 256/512


Hm, but SHA1 and MD5 are only used for the artifacts in the Maven repo,
right? The packages at
https://dist.apache.org/repos/dist/dev/directory/studio/2.0.0.v20210717-M17/
only use SHA 256 and SHA 512. Is there a way now to also use the
stronger hash methods with Maven?


I think it's now supported with maven apache parent 24.




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to