Hi Noah, I'll post the listed information to VOTE email thread. Most probably i can get my key signed in next few hours.
Thanks for the feedback. On Thu, Oct 24, 2013 at 9:18 PM, Noah Slater <[email protected]> wrote: > What I would say is that the VOTE email *should* either include > instructions on how to test, or we should have a wiki page with > instructions how to test, and we should link to that. > > This page should, at a minimum, state: > > * How to download the source > * How to check the checksums > * How to check the GPG sig > * How to build the software > * How to verify the software works (Even if it's just "does it start up > without crashing? But tests are better...) > > Our download page should, of course, have instructions on how to check > both the checksums and the GPG sig. > > Compare: > > http://wiki.apache.org/couchdb/Test_procedure > > http://www.apache.org/dist/couchdb/ > > > > > On 24 October 2013 17:39, Suresh Marru <[email protected]> wrote: > >> Hi Noah, >> >> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote >> stand. But I am suggesting Lahiru to get his key signed and checked in >> before taking it to general. >> >> Suresh >> >> On Oct 24, 2013, at 10:20 AM, Noah Slater <[email protected]> wrote: >> >> > "WARNING: This key is not certified with a trusted signature!" >> > >> > I don't think it was mentioned because this is a very standard warning. >> Release managers do not need to be in the GPG strong set, or even connected >> the to the web of trust. (Though it is certainly preferred.) >> > >> > >> > On 24 October 2013 15:47, Suresh Marru <[email protected]> wrote: >> > Hi All, >> > >> > I do not see any discussion on the release discuss thread. I have a >> question to the 9 PPMC votes, what all did you verify? It is a good >> practice to send them to the DISCUSS thread your testing process and what >> you found. For this release, there is an issue with the key trust, and the >> PPMC should have very well caught it if you spent 5 minutes to verify the >> vote while not waiting for the mentors to catch it. >> > >> > Lahiru, >> > >> > I quickly tried to verify the signatures and I see this: >> > >> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID >> 44BBC719 >> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) < >> [email protected]>" >> > gpg: WARNING: This key is not certified with a trusted signature! >> > gpg: There is no indication that the signature belongs to the >> owner. >> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB >> C719 >> > >> > I am sure you will raise some eye brows on the general vote. Can you >> get your key signed by existing Apache committers who are within Apache web >> of trust? >> > >> > See [1] for explanation and mitigation about this warning. >> > >> > Cheers, >> > Suresh >> > [1] - http://www.apache.org/info/verification.html >> > >> > >> > >> > -- >> > Noah Slater >> > https://twitter.com/nslater >> > >> >> > > > -- > Noah Slater > https://twitter.com/nslater > > -- -- Lahiru Sandaruwan Software Engineer, Platform Technologies, WSO2 Inc., http://wso2.com lean.enterprise.middleware email: [email protected] cell: (+94) 773 325 954 blog: http://lahiruwrites.blogspot.com/ twitter: http://twitter.com/lahirus linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
