TBH I'm not sure this is considered such a big problem these days. I'd noticed it when reviewing the release but we see it often with both Incubator and TLP releases, i don't think anyone would try to hold up a release for it.
...ant On Thu, Oct 24, 2013 at 2:47 PM, Suresh Marru <[email protected]> wrote: > Hi All, > > I do not see any discussion on the release discuss thread. I have a > question to the 9 PPMC votes, what all did you verify? It is a good > practice to send them to the DISCUSS thread your testing process and what > you found. For this release, there is an issue with the key trust, and the > PPMC should have very well caught it if you spent 5 minutes to verify the > vote while not waiting for the mentors to catch it. > > Lahiru, > > I quickly tried to verify the signatures and I see this: > > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719 > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) < > [email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719 > > I am sure you will raise some eye brows on the general vote. Can you get > your key signed by existing Apache committers who are within Apache web of > trust? > > See [1] for explanation and mitigation about this warning. > > Cheers, > Suresh > [1] - http://www.apache.org/info/verification.html
