What I would say is that the VOTE email *should* either include instructions on how to test, or we should have a wiki page with instructions how to test, and we should link to that.
This page should, at a minimum, state: * How to download the source * How to check the checksums * How to check the GPG sig * How to build the software * How to verify the software works (Even if it's just "does it start up without crashing? But tests are better...) Our download page should, of course, have instructions on how to check both the checksums and the GPG sig. Compare: http://wiki.apache.org/couchdb/Test_procedure http://www.apache.org/dist/couchdb/ On 24 October 2013 17:39, Suresh Marru <[email protected]> wrote: > Hi Noah, > > Agreed, thats why I am not voting a -1 and letting the PPMC passed vote > stand. But I am suggesting Lahiru to get his key signed and checked in > before taking it to general. > > Suresh > > On Oct 24, 2013, at 10:20 AM, Noah Slater <[email protected]> wrote: > > > "WARNING: This key is not certified with a trusted signature!" > > > > I don't think it was mentioned because this is a very standard warning. > Release managers do not need to be in the GPG strong set, or even connected > the to the web of trust. (Though it is certainly preferred.) > > > > > > On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: > > Hi All, > > > > I do not see any discussion on the release discuss thread. I have a > question to the 9 PPMC votes, what all did you verify? It is a good > practice to send them to the DISCUSS thread your testing process and what > you found. For this release, there is an issue with the key trust, and the > PPMC should have very well caught it if you spent 5 minutes to verify the > vote while not waiting for the mentors to catch it. > > > > Lahiru, > > > > I quickly tried to verify the signatures and I see this: > > > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID > 44BBC719 > > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) < > [email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > owner. > > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB > C719 > > > > I am sure you will raise some eye brows on the general vote. Can you get > your key signed by existing Apache committers who are within Apache web of > trust? > > > > See [1] for explanation and mitigation about this warning. > > > > Cheers, > > Suresh > > [1] - http://www.apache.org/info/verification.html > > > > > > > > -- > > Noah Slater > > https://twitter.com/nslater > > > > -- Noah Slater https://twitter.com/nslater
