A big + 1 for having such instructions. Regarding the key signing, I would in general agree that it takes weeks. But I suggest doing this now as a good practice since this is an exceptional one of situation. Stratos PPMC has a fleet of Apache Members and where the current RM works has significant number of ASF committers potentially in the same building.
Suresh On Oct 24, 2013, at 11:48 AM, Noah Slater <[email protected]> wrote: > What I would say is that the VOTE email *should* either include instructions > on how to test, or we should have a wiki page with instructions how to test, > and we should link to that. > > This page should, at a minimum, state: > > * How to download the source > * How to check the checksums > * How to check the GPG sig > * How to build the software > * How to verify the software works (Even if it's just "does it start up > without crashing? But tests are better...) > > Our download page should, of course, have instructions on how to check both > the checksums and the GPG sig. > > Compare: > > http://wiki.apache.org/couchdb/Test_procedure > > http://www.apache.org/dist/couchdb/ > > > > > On 24 October 2013 17:39, Suresh Marru <[email protected]> wrote: > Hi Noah, > > Agreed, thats why I am not voting a -1 and letting the PPMC passed vote > stand. But I am suggesting Lahiru to get his key signed and checked in before > taking it to general. > > Suresh > > On Oct 24, 2013, at 10:20 AM, Noah Slater <[email protected]> wrote: > > > "WARNING: This key is not certified with a trusted signature!" > > > > I don't think it was mentioned because this is a very standard warning. > > Release managers do not need to be in the GPG strong set, or even connected > > the to the web of trust. (Though it is certainly preferred.) > > > > > > On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: > > Hi All, > > > > I do not see any discussion on the release discuss thread. I have a > > question to the 9 PPMC votes, what all did you verify? It is a good > > practice to send them to the DISCUSS thread your testing process and what > > you found. For this release, there is an issue with the key trust, and the > > PPMC should have very well caught it if you spent 5 minutes to verify the > > vote while not waiting for the mentors to catch it. > > > > Lahiru, > > > > I quickly tried to verify the signatures and I see this: > > > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719 > > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) > > <[email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719 > > > > I am sure you will raise some eye brows on the general vote. Can you get > > your key signed by existing Apache committers who are within Apache web of > > trust? > > > > See [1] for explanation and mitigation about this warning. > > > > Cheers, > > Suresh > > [1] - http://www.apache.org/info/verification.html > > > > > > > > -- > > Noah Slater > > https://twitter.com/nslater > > > > > > > -- > Noah Slater > https://twitter.com/nslater >
