Hi All, I do not see any discussion on the release discuss thread. I have a question to the 9 PPMC votes, what all did you verify? It is a good practice to send them to the DISCUSS thread your testing process and what you found. For this release, there is an issue with the key trust, and the PPMC should have very well caught it if you spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
Lahiru, I quickly tried to verify the signatures and I see this: gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719 gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719 I am sure you will raise some eye brows on the general vote. Can you get your key signed by existing Apache committers who are within Apache web of trust? See [1] for explanation and mitigation about this warning. Cheers, Suresh [1] - http://www.apache.org/info/verification.html
