I tend to agree, we all love automation, my only issue being: `The KEYS file is stored alongside the release archives to which it applies, e.g. at the top level of the ASF mirror area for the project. This is to ensure that it is available for download by users, and that it is automatically archived with historic releases.`
In the doc its indexed under Keys Policy so from my vantage point that doesn't sound like its up for discussion and more a requirement. So the one you link to doesn't full fill that requirement. That said, its not like it has to be inside the archive so just updating SVN would do. On Mon, Jul 24, 2017 at 3:24 PM, Chris Mattmann <mattm...@apache.org> wrote: > Hey Team, > > Why should we maintain a separate KEYS file from the one I referenced at: > > https://people.apache.org/keys/group/oodt.asc > > That one is maintained automatically by collecting our GPG fingerprints > from > id.apache.org? > > I can see for past releases, but how much do we think people are using > anything > prior to OODT e.g., 0.7 or 0.8 and I would assert that between my key and > Tom’s > key there haven’t been RM’s since then… > > So, thoughts? It’s one less not automatically generated thing we have to > manage…? > > Cheers, > Chris > > > > On 7/24/17, 5:10 AM, "Tom Barber" <tom.bar...@meteorite.bi> wrote: > > Good catch Sean: > > bugg@tom-laptop2:~$ gpg --verify apache-oodt-1.1-src.zip.asc > gpg: assuming signed data in `apache-oodt-1.1-src.zip' > gpg: Signature made Wed 19 Jul 2017 19:57:50 BST using RSA key ID > 0C1E654B > gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) > < > mattm...@apache.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA F8B6 0C1E > 654B > bugg@tom-laptop2:~$ > > The key works, but I think the KEYS file needs to be updated in the SVN > repo per: https://www.apache.org/dev/release-signing.html#keys-policy > > For now I'm gonna say -1 unless updating KEYS isn't required. > > Tom > > > > > On Mon, Jul 24, 2017 at 5:22 AM, Chris Mattmann <mattm...@apache.org> > wrote: > > > I updated it in id.apache.org, which autogenerates [1], which > should be > > the > > canonical source for our KEYS file. Give it a check in ~1 hour or so > > should be > > all good. > > > > Cheers, > > Chris > > > > > > > > [1] https://people.apache.org/keys/group/oodt.asc > > > > > > > > On 7/23/17, 5:33 PM, "Sean Kelly" <ke...@apache.org> wrote: > > > > That did the trick. > > > > I'll be +1 if you also update the KEYS file. > > > > Transcript: > > > > fatalii 298 % date -u > > Mon Jul 24 00:32:49 UTC 2017 > > fatalii 299 % gpg --verify apache-oodt-1.1-src.zip.asc > > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA key ID > > 0C1E654B > > gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr > 2016) > > <mattm...@apache.org>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs > to the > > owner. > > Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA > F8B6 0C1E > > 654B > > > > > > --k > > > > > > Chris Mattmann wrote: > > > Hey Sean I think I have a new key on my Mac – can you check? I > just > > submitted the new > > > key to MIT keyserver, can you re-verify and see if that fixes > it? > > > > > > Cheers, > > > Chris > > > > > > > > > > > > > > > On 7/23/17, 5:06 PM, "Sean Kelly"<ke...@apache.org> wrote: > > > > > > Hi folks: > > > > > > I realize it's already 72 hours and we have the requisite > 3 +1 > > votes, > > > but I'm definitely in the -1 camp if this release was > signed > > with the > > > wrong key. > > > > > > I hope it's just user error on my end. > > > > > > Take care > > > --k > > > > > > > *From:* Sean Kelly<ke...@apache.org> > > > > *Date:* 2017-07-22 at 12.54 p > > > > *To:* dev@oodt.apache.org > > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > > Did anyone check the signature? > > > > > > > > I'm getting an unknown RSA key 0C1E654B: > > > > > > > > fatalii 278 % date -u > > > > Sat Jul 22 17:53:42 UTC 2017 > > > > fatalii 279 % gpg --verify apache-oodt-1.1-src.zip.asc > > > > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using > RSA > > key ID 0C1E654B > > > > gpg: Can't check signature: No public key > > > > > > > > --k > > > > > > > > *From:* Chris Mattmann<mattm...@apache.org> > > > > *Date:* 2017-07-19 at 2.01 p > > > > *To:* dev@oodt.apache.org > > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > > Hi Folks, > > > > > > > > I have posted a 2nd release candidate for the Apache > OODT > > 1.1 release. The > > > > source code is at: > > > > > > > > https://dist.apache.org/repos/dist/dev/oodt/ > > > > > > > > For more detailed information, see the included > CHANGES.txt > > file for details on > > > > release contents and latest changes. The release was > made > > using the OODT > > > > release process, documented on the Wiki here: > > > > > > > > https://cwiki.apache.org/confluence/display/OODT/ > > Release+Process > > > > > > > > The release was made from the OODT 1.1 tag at: > > > > > > > > https://github.com/apache/oodt/tree/1.1/ > > > > > > > > A staged Maven repository is available at: > > > > > > > > https://repository.apache.org/content/repositories/ > > orgapacheoodt-1013/ > > > > > > > > Please vote on releasing these packages as Apache OODT > 1.1. > > The vote is > > > > open for at least the next 72 hours. > > > > > > > > Only votes from OODT PMC are binding, but folks are > welcome > > to check the > > > > release candidate and voice their approval or > disapproval. > > The vote passes > > > > if at least three binding +1 votes are cast. > > > > > > > > [ ] +1 Release the packages as Apache OODT 1.1 > > > > > > > > [ ] -1 Do not release the packages because... > > > > > > > > Thanks! > > > > > > > > Chris Mattmann > > > > > > > > P.S. Here is my +1. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
