Hello, I have a doubt with this signature test:
wget https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz cat > apache-tomee-8.0.15-plus.tar.gz.asc (here I copy paste the contents of https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc, then I type control-D) $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc apache-tomee-8.0.15-plus.tar.gz gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID E5B8A431 gpg: Good signature from "Richard Zowalla (Code Signing Key) <r...@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B83D 15E7 2253 ED11 04EB 4FBB DAB4 72F0 E5B8 A431 Isn't the warning a bit scary ? Note: I previously imported TOMEE's Keys from https://downloads.apache.org/tomee/KEYS which I save into a file /tmp/KEYS.tst, then used: gpg --import /tmp/KEYS.txt Isn't there a way to make sure gpg won't complain about the trustiness of the signature ? Thanks, Alex Le lun. 8 mai 2023 à 14:50, Richard Zowalla <r...@apache.org> a écrit : > > Hi all, > > this is a vote for a release of Apache TomEE 8.0.15. > > It is a maintenance release with some bug fixes and dependencies > upgrades (addressing some CVEs) > > ############### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > > <repositories> > <repository> > <id>tomee-8.0.15-rc1</id> > <name>Testing TomEE 8.0.15 RC1</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > </url> > </repository> > </repositories> > > ############### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/ > > ############### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15 > > > ############### > > Release notes: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766 > > ############### > > Here is an adoc generated version of the changelog as well: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188] > ActiveMQ 5.16.6 > - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180] > CXF 3.5.5 > - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > Commons FileUpload 1.5 > - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210] > EclipseLink 2.7.12 > - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211] > Hibernate Integration 5.6.15.Final > - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206] > Jackson 2.15.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207] > Johnzon 1.2.20 > - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205] > Jose4j 0.9.3 > - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209] > Mojarra 2.3.19 > - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > Tomcat 9.0.72 (CVE-2023-28708) > - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191] > Tomcat 9.0.73 > - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201] > Tomcat 9.0.74 > - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > snakeyaml version 2.0 mitigate CVE-2022-1471 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192] > ApplicationComposers do not clear GC references on release > - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181] > BCProv jar loses its signature during the patch process > - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > Performance Regression in bean resolution in EAR files > - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189] > java.lang.ClassNotFoundException: > org.apache.openejb.loader.SystemInstance > - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179] > Fix creeping in API JARs which should be in javaee-api > > == Wish > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190] > RunWithApplicationComposer should support inheritance > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471 > - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708) > - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > Commons FileUpload 1.5 > > > ############### > > Here is the dependency diff from 8.0.14 to 8.0.15 created with our > release tools: > > artifactId from to > ------------------------------- -------- ----------------- > jackson-annotations 2.14.1 2.15.0 > jackson-core 2.14.1 2.15.0 > jackson-databind 2.14.1 2.15.0 > jackson-dataformat-yaml 2.14.1 2.15.0 > saaj-impl 1.5.1 1.5.3 > activemq-broker 5.16.5 5.16.6 > activemq-client 5.16.5 5.16.6 > activemq-jdbc-store 5.16.5 5.16.6 > activemq-kahadb-store 5.16.5 5.16.6 > activemq-openwire-legacy 5.16.5 5.16.6 > activemq-ra 5.16.5 5.16.6 > cxf-rt-rs-mp-client 3.4.10 3.5.5 > johnzon-core 1.2.19 1.2.20 > johnzon-jaxrs 1.2.19 1.2.20 > johnzon-jsonb 1.2.19 1.2.20 > johnzon-jsonp-strict 1.2.19 1.2.20 > johnzon-mapper 1.2.19 1.2.20 > xmlsec 2.2.3 2.3.2 > wss4j-bindings 2.3.3 2.4.1 > wss4j-policy 2.3.3 2.4.1 > wss4j-ws-security-common 2.3.3 2.4.1 > wss4j-ws-security-dom 2.3.3 2.4.1 > wss4j-ws-security-policy-stax 2.3.3 2.4.1 > wss4j-ws-security-stax 2.3.3 2.4.1 > jose4j 0.6.0 0.9.3 > eclipselink 2.7.11 2.7.12 > jakarta.faces 2.3.18 2.3.19 > stax-ex 1.8.1 1.8.3 > snakeyaml 1.33 2.0 > > ############### > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard >
