ok -- tarball and armored signatures are now included in https://dist.apache.org/repos/dist/dev/incubator/trafficcontrol/1.8.0/RC1/ . Adding that to the instructions for future release mgrs...
I'll work on getting the NOTICE updated and creating a KEYS file as well. Once those are done, we'll move on to RC2.. thanks! Dan On Wed, Nov 9, 2016 at 10:34 AM, Leif Hedstrom <[email protected]> wrote: > >> On Nov 8, 2016, at 6:46 PM, Eric Friedrich (efriedri) <[email protected]> >> wrote: >> >> Hey Dan- >> I haven’t looked at the RPMs yet, but I think we also need to put up a >> package for astats. >> >> A few other things: >> - Package name should have “incubating” in it >> - Need signatures directly on the release packages (i.e. 1 detached sig per >> RPM/SRPM), see these: >> https://www.apache.org/dev/release-publishing.html#valid >> https://www.apache.org/dev/release-signing.html#basics >> <https://www.apache.org/dev/release-signing.html#basics> > > Yes, this is very important, you must have a GPG signature. Also, you should > make sure it’s easy / possible to get the public key of the person that > created these artifacts, ideally signed by other trusted people. > > See e.g. https://dist.apache.org/repos/dist/release/trafficserver/KEYS > > Cheers, > > — leif >
