I filed a ticket on the dist.apache.org certificate weirdness as: https://issues.apache.org/jira/browse/INFRA-12857
--- A. Soroka The University of Virginia Library > On Nov 4, 2016, at 9:39 AM, Andy Seaborne <[email protected]> wrote: > > Thank you for finding that. > > Hmm. I have no idea what has happened. It must be some kind of user error but > the date does not suggest anything to me. > > I will start again with a new key. > > Andy > > On 03/11/16 14:17, A. Soroka wrote: >> The source distro builds (mvn clean install) for me on Mac OS X >> 10.10.5 using Java 1.8.0_40 and Maven 3.3.9. Lots of Javadoc warnings >> (especially those weird ones about @propertyGetter, @propertySetter and >> @propertyDescription) but they are nothing new. Checksums verify for >> source distro. Andy's sig looks good, except... >> >> /tmp gpg --fingerprint 9CC7ECFE >> pub 4096R/9CC7ECFE 2014-06-16 [revoked: 2016-08-16] >> Key fingerprint = F0BA C675 207A 38AB F863 DAEA 1FD1 063C 9CC7 ECFE >> uid [ revoked] Andy Seaborne (Code signing key) <[email protected]> >> >> It seems that Andy, you signed with "9CC7ECFE", and if I interpret >> "http://pgpkeys.mit.edu/pks/lookup?search=Seaborne&op=vindex"; correctly (a >> big "if") you revoked that key on 2016-08-16? Am I misreading that? >> >> On a side note, I get: >> >> ERROR: cannot verify dist.apache.org's certificate, issued by >> `/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 >> Secure Server CA - G4': >> Unable to locally verify the issuer's authority. >> >> from dist.apache.org and I had to go with wget's --no-check-certificate. >> Should I raise a ticket with infrastructure about that? >> > > Yes. > >> --- >> A. Soroka >> The University of Virginia Library >> >>> On Nov 2, 2016, at 5:39 PM, Andy Seaborne <[email protected]> wrote: >>> >>> Hi, >>> >>> Here is a vote on a release of Jena 3.1.1 >>> (with Fuseki 2.4.1 and Fuseki 1.4.1). >>> >>> This is the first proposed candidate for this release. >>> >>> * Dependency changes: >>> >>> New module: >>> jena-fuseki2/jena-fuseki-embedded >>> >>> Updates: >>> com.github.jsonld-java:jsonld-java 0.7.0 -> 0.8.3 >>> >>> org.apache.httpcomponents:httpClient 4.2.6 -> 4.5.2 >>> org.apache.httpcomponents:httpCache 4.2.6 -> 4.5.2 >>> org.apache.httpcomponents:httpCore 4.2.5 -> 4.4.4 >>> >>> com.jayway.awaitility:awaitility 1.6.4 -> 1.7.0 >>> com.spatial4j:spatial4j 0.4.1 -> 0.5 >>> org.slf4j:* 1.7.20 -> 1.7.21 >>> commons-codec:commons-codec 1.9 -> 1.10 >>> org.apache.commons:commons-collections4 4.0 -> 4.1 >>> org.apache.commons:commons-csv 1.0 -> 1.3 >>> org.apache.commons:commons-lang3 3.3.2 -> 3.4 >>> org.apache.thrift:libthrift 0.9.2 -> 0.9.3 >>> org.apache.mrunit:mrunit 1.0.0 -> 1.1.0 >>> com.github.rvesse:airline 2.1.0 -> 2.1.1 >>> >>> >>> Key features of the release: >>> >>> * Completed F&O XPath3 functions >>> JENA-508 - Alessandro Seganti >>> >>> * ComplexPhraseQueryParser >>> JENA-1180 - Andrew Dolby >>> >>> * Additional vocabularies (DCAT, VoID, ROV, ORG) >>> JENA-1206 - Bart Hanssens >>> >>> * Improvement to the Fuseki service script for RHEL/Centos 6. >>> JENA-1219 - Dan Pritts >>> >>> * ORDER BY now cancelable. >>> >>> * Txn : a highlevel API for working with transactions >>> http://jena.staging.apache.org/documentation/txn/txn.html >>> >>> * Embedded Fuseki >>> http://jena.staging.apache.org/documentation/fuseki2/fuseki-embedded.html >>> >>> * Property path speed ups (JENA-1195) >>> >>> * Upgrade to Apache HttpClient v4.3 API >>> => auth changes cause API changes. >>> >>> >>> Everyone, not just committers, is invited to test and vote. >>> >>> Staging repository: >>> https://repository.apache.org/content/repositories/orgapachejena-1014/ >>> >>> Proposed dist/ area: >>> https://dist.apache.org/repos/dist/dev/jena/ >>> >>> Keys: >>> https://svn.apache.org/repos/asf/jena/dist/KEYS >>> >>> Git commit (browser URL): >>> https://git-wip-us.apache.org/repos/asf/jena/commit/9be9e53f40 >>> >>> Git Commit Hash: >>> 9be9e53f40eb3b043f72332db2d49d89e9f3d4ba >>> >>> Git Commit Tag: >>> jena-3.1.1-rc1 >>> >>> Please vote to approve this release: >>> >>> [ ] +1 Approve the release >>> [ ] 0 Don't care >>> [ ] -1 Don't release, because ... >>> >>> This vote will be open to at least >>> >>> Saturday, 5 Nov 2016, 23:59 UTC >>> >>> If you expect to check the release but the 72 hour limit does not work >>> for you, please email within the schedule above with an expected time >>> and we can extend the vote period. >>> >>> Thanks, >>> >>> Andy >>> >>> Checking needed: >>> >>> + does everything work on Linux? >>> + does everything work on MS Windows? >>> + does everything work on OS X? >>> + are the GPG signatures fine? >>> + are the checksums correct? >>> + is there a source archive? >>> + can the source archive really be built? >>> + is there a correct LICENSE and NOTICE file in each artifact >>> (both source and binary artifacts)? >>> + does the NOTICE file contain all necessary attributions? >>> + have any licenses of dependencies changed due to upgrades? >>> if so have LICENSE and NOTICE been upgraded appropriately? >>> + does the tag/commit in the SCM contain reproducible sources? >>
