Yes, it is ;-) We had this discussion regarding the warning in [1] and I added some explanation to that vote thread in May.
Gruß Richard [1] https://lists.apache.org/thread/fkvb28gx3ll4t8srdol49c7jjpdv5sbr Am Montag, dem 30.10.2023 um 15:55 +0100 schrieb Alex The Rocker: > I imported the key map, and result is better: > > $ gpg --verify /tmp/tomee8016.asc apache-tomee-8.0.16-plus.tar.gz > gpg: Signature made Sun 29 Oct 2023 06:28:05 PM CET > gpg: using ECDSA key > B5D73AFD12C47FA094C7D484F975C27BB17AF6B1 > gpg: Good signature from "Jonathan S. Fisher <exabr...@gmail.com>" > [unknown] > gpg: aka "Jonathan S. Fisher > <exabrial+ecli...@gmail.com>" [unknown] > gpg: aka "Jonathan S. Fisher <jfis...@apache.org>" > [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: 8716 38A2 1A7F 2C38 0664 7142 0306 A354 > 336B 4F0D > Subkey fingerprint: B5D7 3AFD 12C4 7FA0 94C7 D484 F975 C27B > B17A F6B1 > $ > > The WARNING is a bit bizarre, isn't it ? > > Alex > > Le lun. 30 oct. 2023 à 15:52, Jonathan S. Fisher <exabr...@gmail.com> > a écrit : > > > > I have 2.2.41, but I think your version should be sufficient if you > > import the key map from the file Richard linked > > > > On Mon, Oct 30, 2023 at 9:48 AM Alex The Rocker > > <alex.m3...@gmail.com> wrote: > > > > > > Here's my gpg version: > > > > > > $ gpg --version > > > gpg (GnuPG) 2.2.20 > > > libgcrypt 1.8.5 > > > Copyright (C) 2020 Free Software Foundation, Inc. > > > License GPLv3+: GNU GPL version 3 or later > > > <https://gnu.org/licenses/gpl.html> > > > This is free software: you are free to change and redistribute > > > it. > > > There is NO WARRANTY, to the extent permitted by law. > > > > > > Home: /u/users/ave/.gnupg > > > Supported algorithms: > > > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > > > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, > > > TWOFISH, > > > CAMELLIA128, CAMELLIA192, CAMELLIA256 > > > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > > > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > > > > > Le lun. 30 oct. 2023 à 15:03, Jonathan S. Fisher > > > <exabr...@gmail.com> a écrit : > > > > > > > > Interesting. What version of gpg are you using? My signing key > > > > B17A-F6B1 is a subkey of 336B-4F0D. > > > > > > > > :~/servers$ gpg --verify apache-tomee-8.0.16-plume.tar.gz.asc > > > > gpg: assuming signed data in 'apache-tomee-8.0.16-plume.tar.gz' > > > > gpg: Signature made Sun Oct 29 12:28:05 2023 CDT > > > > gpg: using ECDSA key > > > > B5D73AFD12C47FA094C7D484F975C27BB17AF6B1 > > > > gpg: Good signature from "Jonathan S. Fisher > > > > <exabr...@gmail.com>" [ultimate] > > > > gpg: aka "Jonathan S. Fisher > > > > <exabrial+ecli...@gmail.com>" [ultimate] > > > > gpg: aka "Jonathan S. Fisher > > > > <jfis...@apache.org>" [ultimate] > > > > > > > > > > > > On Mon, Oct 30, 2023 at 8:55 AM Alex The Rocker > > > > <alex.m3...@gmail.com> wrote: > > > > > > > > > > Thanks Richard, > > > > > > > > > > Next issue: > > > > > > > > > > $ cat > /tmp/tomee8016.asc > > > > > -----BEGIN PGP SIGNATURE----- > > > > > > > > > > iJUEABMKAB0WIQS11zr9EsR/oJTH1IT5dcJ7sXr2sQUCZT6WJQAKCRD5dcJ7s > > > > > Xr2 > > > > > sVPwAX9O8dqTdCcdMlUN1ExEagKIzduv1snt+VSRvKKizDWkMzNRHaGhZ58Lq > > > > > VGu > > > > > g7FkkkABgIdZ0OXXa6WLjWoMaoMe61/Drg56fYUzqqwof2jBWeYAjdHZ7O/U4 > > > > > Y8V > > > > > hzxrd0GaFQ== > > > > > =sRYy > > > > > -----END PGP SIGNATURE----- > > > > > $ gpg --verify /tmp/tomee8016.asc apache-tomee-8.0.16- > > > > > plus.tar.gz > > > > > gpg: Signature made Sun 29 Oct 2023 06:28:05 PM CET > > > > > gpg: using ECDSA key > > > > > B5D73AFD12C47FA094C7D484F975C27BB17AF6B1 > > > > > gpg: Can't check signature: No public key > > > > > > > > > > I checked on https://home.apache.org/keys/committer/, and I > > > > > can't find > > > > > this B5D73AFD12C47FA094C7D484F975C27BB17AF6B1 key there. > > > > > Am I missing something ? > > > > > > > > > > Alex > > > > > > > > > > Le lun. 30 oct. 2023 à 14:52, Richard Zowalla > > > > > <r...@apache.org> a écrit : > > > > > > > > > > > > Hi Alex, > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ > > > > > > > > > > > > is the correct one (siumilar to the staging repo id) > > > > > > > > > > > > Gruß > > > > > > Richard > > > > > > > > > > > > Am Montag, dem 30.10.2023 um 14:50 +0100 schrieb Alex The > > > > > > Rocker: > > > > > > > Hello, > > > > > > > > > > > > > > There is a issue with the link to binaries & source: > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1222/tomee-8.0.16/ > > > > > > > leads to nowhere, maybe did you mean > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ > > > > > > > ? > > > > > > > > > > > > > > Thanks, > > > > > > > Alex > > > > > > > > > > > > > > Le dim. 29 oct. 2023 à 19:35, Richard Zowalla > > > > > > > <r...@apache.org> a > > > > > > > écrit : > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > This is the second attempt for a vote for a release of > > > > > > > > Apache TomEE > > > > > > > > 8.0.16. The first vote was cancelled due to some issues > > > > > > > > with the > > > > > > > > BOM > > > > > > > > modules. > > > > > > > > > > > > > > > > I'd like to start with a big thank you and a big > > > > > > > > applause to > > > > > > > > Jonathan > > > > > > > > Fisher. He is rolling out his first release today. > > > > > > > > > > > > > > > > Per ASF rules, the actual VOTE needs to be run by a > > > > > > > > TomEE PMC > > > > > > > > member, > > > > > > > > that's why I'm starting it. > > > > > > > > > > > > > > > > However, the work has been done by Jonathan, so thank > > > > > > > > you. Well > > > > > > > > done. > > > > > > > > > > > > > > > > TomEE 8.0.16 is a maintenance release with dependencies > > > > > > > > upgrades and bug fixes. It also fixes the latest Tomcat > > > > > > > > vulnerabilities > > > > > > > > as well as other CVEs. > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > Maven Repo: > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1223/ > > > > > > > > > > > > > > > > <repositories> > > > > > > > > <repository> > > > > > > > > <id>tomee-8.0.16-rc2</id> > > > > > > > > <name>Testing TomEE 8.0.16 RC2</name> > > > > > > > > <url> > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1223/ > > > > > > > > </url> > > > > > > > > </repository> > > > > > > > > </repositories> > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > Binaries & Source: > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1222/tomee-8.0.16/ > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > Tag: > > > > > > > > > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > Release notes: > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353257 > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > Here is an adoc generated version of the changelog as > > > > > > > > well: > > > > > > > > > > > > > > > > == Dependency upgrade > > > > > > > > > > > > > > > > [.compact] > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE- > > > > > > > > 4266] > > > > > > > > ActiveMQ 5.16.7 / 5.18.3 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE- > > > > > > > > 4234] > > > > > > > > Bouncy Castle 1.75 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE- > > > > > > > > 4229] > > > > > > > > CVE-2023-34981 in TomEE 8.0.15 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE- > > > > > > > > 4218] > > > > > > > > HSQLDB 2.7.2 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE- > > > > > > > > 4221] > > > > > > > > JUnit 5.9.3 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE- > > > > > > > > 4216] > > > > > > > > Jackson 2.15.1 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE- > > > > > > > > 4227] > > > > > > > > Jackson 2.15.2 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4228[TOMEE- > > > > > > > > 4228] > > > > > > > > Johnzon 1.2.21 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263[TOMEE- > > > > > > > > 4263] > > > > > > > > Santuario Java (xmlsec) mitigate CVE-2023-44483 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4224[TOMEE- > > > > > > > > 4224] > > > > > > > > Tomcat 9.0.76 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4237[TOMEE- > > > > > > > > 4237] > > > > > > > > Tomcat 9.0.79 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4252[TOMEE- > > > > > > > > 4252] > > > > > > > > Tomcat 9.0.80 > > > > > > > > - > > > > > > > > link:https://issues.apache.org/jira/browse/TOMEE-4238[T > > > > > > > > OMEE-4238] > > > > > > > > Tomcat 9.0.82 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4262[TOMEE- > > > > > > > > 4262] > > > > > > > > eclipselink 2.7.13 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE- > > > > > > > > 4220] > > > > > > > > log4j 2.20.0 (integration) > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE- > > > > > > > > 4219] > > > > > > > > xbeans 4.23 > > > > > > > > > > > > > > > > == Bug > > > > > > > > > > > > > > > > [.compact] > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4222[TOMEE- > > > > > > > > 4222] > > > > > > > > @LoginToContinue JSR-375 (JavaEE Security API) causes > > > > > > > > IllegalArgumentException > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4226[TOMEE- > > > > > > > > 4226] > > > > > > > > DataSource definition fails when @DataSourceDefinition > > > > > > > > doesn't > > > > > > > > define > > > > > > > > url property > > > > > > > > > > > > > > > > == Improvement > > > > > > > > > > > > > > > > [.compact] > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4031[TOMEE- > > > > > > > > 4031] > > > > > > > > Improve TomEE Jmx Mbean Support for Parameter Names > > > > > > > > > > > > > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > > > > > > > > > > > > > [.compact] > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE- > > > > > > > > 4234] > > > > > > > > Bouncy Castle 1.75 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4238[TOMEE- > > > > > > > > 4238] > > > > > > > > Tomcat 9.0.80 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE- > > > > > > > > 4227] > > > > > > > > Jackson 2.15.2 > > > > > > > > - > > > > > > > > link: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE- > > > > > > > > 4229] > > > > > > > > CVE-2023-34981 in Apache TomEE 8.0.15 > > > > > > > > > > > > > > > > ######################## > > > > > > > > > > > > > > > > Please VOTE > > > > > > > > > > > > > > > > [+1] go ship it > > > > > > > > [+0] meh, don't care > > > > > > > > [-1] stop, there is a ${showstopper} > > > > > > > > > > > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > > > > > > > > > > > Gruß > > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Jonathan | exabr...@gmail.com > > > > Pessimists, see a jar as half empty. Optimists, in contrast, > > > > see it as > > > > half full. > > > > Engineers, of course, understand the glass is twice as big as > > > > it needs to be. > > > > > > > > -- > > Jonathan | exabr...@gmail.com > > Pessimists, see a jar as half empty. Optimists, in contrast, see it > > as > > half full. > > Engineers, of course, understand the glass is twice as big as it > > needs to be.
