On Wed, Aug 26, 2009 at 7:04 AM, Wes Wannemacher<w...@wantii.com> wrote: > Hey, I got that email last night from the henkp bot that checks sigs, > after fixing up the KEYS file on people.a.o,
I assume that, by "fixing up", you mean adding your own release signing key? The KEYS file is checked into SVN, which is where it should be modified. https://svn.apache.org/repos/asf/struts/maven/trunk/build/KEYS If what's on the site ever differs from what's in SVN, then that's very bad, because it means we could have been hacked somehow. The file should never be edited in place. > I tried to check the > signatures as a last minute sanity check and noticed that it seems > like the jars that are deployed are different from the jars sitting on > my machine from when I ran the release... For instance - > > (on people.a.o) > $ shasum struts-annotations-1.0.5*.jar > 40e6914b9ed3988ae38d141099b8a10af7992d8f struts-annotations-1.0.5-javadoc.jar > e9dbf458c0f445d68b71789388a8ca6df426efcb struts-annotations-1.0.5-sources.jar > 373013015e18b6cb6ae488c6755f7824f737c958 struts-annotations-1.0.5.jar > > (on my machine) > $ shasum struts-annotations-1.0.5*jar > a0a67a32990325d06b057c59aef1e974b2669b64 struts-annotations-1.0.5.jar > dfa90f19763e9fa159377f0a105366735954e3f6 struts-annotations-1.0.5-javadoc.jar > a8f2cd8275c50040f5c7d85657fcc877e54a6f66 struts-annotations-1.0.5-sources.jar > > So, of course, the detached sigs are failing as well... I kind of > figure that it's related to the recent disk failure / restore from > backup, but I'm not sure whether I should just SCP the copies out > there or notify infra. Suggestions? If the files really are different, then we have a problem if the files have made it out to mirrors, since I'm not sure that the mirrors will pick up changed versions of the same files. You may need to check with infra on that. It would be good if we can figure out how this happened, too. I'm not sure a disk failure would cause this unless the files are actually corrupted (which would obviously be a major issue too!). -- Martin Cooper > -Wes > > -- > Wes Wannemacher > > Head Engineer, WanTii, Inc. > Need Training? Struts, Spring, Maven, Tomcat... > Ask me for a quote! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
