I think that is a too stringent requirement. Getting a key signed can take weeks or months, depending on where you live and how easy it is to attend a key-signing party.
As long as his key is in the KEYS file, and the KEYS file is hosted on ASF infrastructure, we are good here. Getting his key signed by other people in the community is a *good thing* and he should do it (we all should) if and when he has a chance. But it should not block anything. :) On 24 October 2013 17:39, Suresh Marru <[email protected]> wrote: > Hi Noah, > > Agreed, thats why I am not voting a -1 and letting the PPMC passed vote > stand. But I am suggesting Lahiru to get his key signed and checked in > before taking it to general. > > Suresh > > On Oct 24, 2013, at 10:20 AM, Noah Slater <[email protected]> wrote: > > > "WARNING: This key is not certified with a trusted signature!" > > > > I don't think it was mentioned because this is a very standard warning. > Release managers do not need to be in the GPG strong set, or even connected > the to the web of trust. (Though it is certainly preferred.) > > > > > > On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: > > Hi All, > > > > I do not see any discussion on the release discuss thread. I have a > question to the 9 PPMC votes, what all did you verify? It is a good > practice to send them to the DISCUSS thread your testing process and what > you found. For this release, there is an issue with the key trust, and the > PPMC should have very well caught it if you spent 5 minutes to verify the > vote while not waiting for the mentors to catch it. > > > > Lahiru, > > > > I quickly tried to verify the signatures and I see this: > > > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID > 44BBC719 > > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) < > [email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > owner. > > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB > C719 > > > > I am sure you will raise some eye brows on the general vote. Can you get > your key signed by existing Apache committers who are within Apache web of > trust? > > > > See [1] for explanation and mitigation about this warning. > > > > Cheers, > > Suresh > > [1] - http://www.apache.org/info/verification.html > > > > > > > > -- > > Noah Slater > > https://twitter.com/nslater > > > > -- Noah Slater https://twitter.com/nslater
