On 8/18/2011 10:29 AM, Eric Covener wrote: > CHANGES says that currently nothing is backported to 2.2.x since > 2.2.19 -- should we burn a release # to replace? Can the existing > release be re-signed in-place?
Hmmm... although I'm happy to re-sign, this is a flaw in gpg; the sig was valid at the time the artifact was signed. The same is true for a vast number of artifacts at archive.apache.org/dist/ If we are treating this flaw in gpg as valid, we should probably set up a policy of using keys that won't expire for 'X' period of time following the release. But IMHO, the underlying complaint is not legitimate.
