On 17/03/2015 03:14, Maxim Solodovnik wrote: > Hello Mark, > > I have signed lots of jars during testing period, then to resolve some > issues with code signing service > Recently I sign additional jars to write correct instruction [1] > > I'll update the guide, and will use "Apache Openmeetings ***" name for > further releases > Please let me know if any other changes are required
Maxim, I think you mis-understood my question. Sorry it wasn't clear. I'll be more explicit. There is no concern about the number of test signings. The concern that has been raised is around the one production signing. Why, in the one production signing OpenMeetings has done so far, did you sign a bunch of JARs that are not 'owned' by the ASF. For example, spring-beans-4.0.8-RELEASE? Cheers, Mark > > [1] http://openmeetings.apache.org/ReleaseGuide.html > > On Tue, Mar 17, 2015 at 2:50 AM, Mark Thomas <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > David (V.P. Infra) asked me (with my infra hat on) to take a quick look > at your recent(ish) code signing. > > I see that you have signed a bunch of JARs that are not published by the > ASF. I suspect I know why this is but could you briefly explain why you > needed to do this please? > > Secondly, when naming your versions, please could you include "Apache > OpenMeetings" in the version name? As the number of TLPs using the > service increases it makes it much easier for infra to track who is > using the service if we see "Apache OpenMeetings 3.0.4-RELEASE" in the > GUI rather than just "3.0.4-RELEASE". > > I trust that there are no outstanding issues for you with the code > signing service (I'm guessing not since you did a release but it is > always good to make sure). > > Thanks in advance, > > Mark > > > > > -- > WBR > Maxim aka solomax
