P. Taylor Goetz wrote:
2) It looks like you have no signatures on your GPG key. This essentially means that
there is no weight on the validity of your key actually being yours'. I'm fuzzy as to
whether or not this is a blocker, but it would definitely be a good thing to make happen.
I've participated in a "virtual key-signing party" with Calcite which worked
out pretty well. Not in the traditional spirit for sure, but it was better than nothing.
Having the release manager’s key signed into the web of trust is not strictly
necessary for a release, though I strongly recommend it.
Cool thanks for confirming. I couldn't recall for certain if it was a
"should" or "must" :)
3) Need to add your pubkey to
https://dist.apache.org/repos/dist/release/incubator/gossip/KEYS (presently
doesn't exist). Feel free to look at another project/podling for an example.
This lets people easily `curl https://dist.a.o./.../KEYS | gpg --import` or
similar from the trusted ASF location.
I just initialized that file with my public key. All project members should add
theirs as well.
4) LICENSE/NOTICE both look standard. I forget the origins of Gossip, if
anything _should_ be included in the NOTICE file. Are there relevant copyright
notices which should be preserved from the pre-Apache days?
LICENSE/NOTICE look good. I did a fairly thorough vetting of the code prior to
incubation, and didn’t find anything that would affect L/N.
Good enough for me!
-Taylor
- Josh
