Hi Noah, Agreed, thats why I am not voting a -1 and letting the PPMC passed vote stand. But I am suggesting Lahiru to get his key signed and checked in before taking it to general.
Suresh On Oct 24, 2013, at 10:20 AM, Noah Slater <[email protected]> wrote: > "WARNING: This key is not certified with a trusted signature!" > > I don't think it was mentioned because this is a very standard warning. > Release managers do not need to be in the GPG strong set, or even connected > the to the web of trust. (Though it is certainly preferred.) > > > On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: > Hi All, > > I do not see any discussion on the release discuss thread. I have a question > to the 9 PPMC votes, what all did you verify? It is a good practice to send > them to the DISCUSS thread your testing process and what you found. For this > release, there is an issue with the key trust, and the PPMC should have very > well caught it if you spent 5 minutes to verify the vote while not waiting > for the mentors to catch it. > > Lahiru, > > I quickly tried to verify the signatures and I see this: > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719 > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) > <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719 > > I am sure you will raise some eye brows on the general vote. Can you get your > key signed by existing Apache committers who are within Apache web of trust? > > See [1] for explanation and mitigation about this warning. > > Cheers, > Suresh > [1] - http://www.apache.org/info/verification.html > > > > -- > Noah Slater > https://twitter.com/nslater >
