Hi, > Could you guys please double check the artifacts ...
I guess the main question is how do we confirm what source code this was compiled from? > I know this is not an official release, but I still thing the signatures need > verification. May be the way it been deployed? but the the jar sigs and md5 hashes are ok (and using an Apache email). but the pom file signature isn't. for file in *.asc; do echo $file; gpg --verify $file; done flexUnitTasks-4.2.0-javadoc.jar.asc gpg: Signature made Sun 29 Mar 04:03:33 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0-sources.jar.asc gpg: Signature made Sun 29 Mar 04:03:27 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0.jar.asc gpg: Signature made Sun 29 Mar 04:03:13 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0.pom.asc gpg: no signed data gpg: can't hash datafile: No data Thanks, Justin
