"WARNING: This key is not certified with a trusted signature!" I don't think it was mentioned because this is a very standard warning. Release managers do not need to be in the GPG strong set, or even connected the to the web of trust. (Though it is certainly preferred.)
On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: > Hi All, > > I do not see any discussion on the release discuss thread. I have a > question to the 9 PPMC votes, what all did you verify? It is a good > practice to send them to the DISCUSS thread your testing process and what > you found. For this release, there is an issue with the key trust, and the > PPMC should have very well caught it if you spent 5 minutes to verify the > vote while not waiting for the mentors to catch it. > > Lahiru, > > I quickly tried to verify the signatures and I see this: > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719 > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) < > [email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719 > > I am sure you will raise some eye brows on the general vote. Can you get > your key signed by existing Apache committers who are within Apache web of > trust? > > See [1] for explanation and mitigation about this warning. > > Cheers, > Suresh > [1] - http://www.apache.org/info/verification.html -- Noah Slater https://twitter.com/nslater
