On 11/4/2018 6:07 PM, Andrea Pescetti wrote: > On 31/10/2018 Marcus wrote: >> To make it an official vote I miss the following information: >> - What exactly do we vote for (link to the source and binaries)? > > Yes please, let's try to be reasonably serious about releases: due to > legal implications (among other things), there are some formalities that > are required; nothing more than what we did for any other Release > Candidate in history. > > I assume we are voting on (this is the only 4.1.6-RC1 available, but it > needs to be recorded in the vote discussion!) > https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/ > >> - What is the time for the vote? Please more than just the normal 72 >> hours so that we all can use a weekend for more testing. > > Elsewhere Peter mentioned until Wednesday 7 November but again this > should be in the vote thread (so, here). > > And most important: the Release Manager (Peter) must sign the source > files. I've just spent a lot of time trying to make sense of various > ways to have multiple signature in one file, concluding that it is easy > to do that for a binary signature, but it is a hack to do so for the > ASCII-armored signatures we use. > > So, in short, Peter as the Release Manager should rectify things by: > > 1) Confirming that the URL and deadline above are correct > > 2) Replace, before the vote ends, current signatures with only his > signature as follows: > > $ svn checkout > https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/source > $ rm *.asc > $ gpg -a -b --digest-algo=SHA512 *.bz2 > $ gpg -a -b --digest-algo=SHA512 *.gz > $ gpg -a -b --digest-algo=SHA512 *.zip > $ svn commit > > About this second item, I see that Matthias concatenated his signature > to Jim's one: this is possible for the binary format but GPG will > complain if this is done for the ASCII format, and as you can see by > searching the net there is no clean way to do it. I checked back in > version 4.1.2 (that was signed by Juergen and me) and I found out that I > had simply replaced Juergen's signature with mine in that case (I was > the Release Manager for 4.1.2). We can do the same this time. > > Regards, > Andrea. In his second vote announcement Peter also specified that to cast a non-binding vote one still had to download and compile the source on ones own machine and then test that binary. This is far over and above anything that has ever been required for a non-binding vote.
Regards Keith
signature.asc
Description: OpenPGP digital signature
