+1 I checked: - git tag verified - gpg sig is good - checksums match source tarball - tarball has correct name and structure - rpms build from tarball - traffic_ops installation and postinstall on a clean Centos7 VM - some basic traffic_ops UI functionality - docs no longer mention build area to download rpms
One caveat -- gpg signature is not signed and so not in the web of trust, but according to http://www.apache.org/dev/release-distribution.html#sigs-and-sums : "Signing keys SHOULD be linked into a strong web of trust." We should get Eric's key signed at the earliest opportunity, but it's not a requirement for the release. On Fri, Jun 16, 2017 at 10:31 AM, Eric Friedrich (efriedri) <[email protected]> wrote: > Hello All, > > I've prepared the next candidate release for incubator-trafficcontrol v2.0.0 > (RC6) > > Changes since 1.8.1: > https://github.com/apache/incubator-trafficcontrol/compare/RELEASE-1.8.1...RELEASE-2.0.0-RC6<https://github.com/apache/incubator-trafficcontrol/compare/RELEASE-1.8.1-RC0...RELEASE-2.0.0-RC5> > > This corresponds to git: > Hash: 85d14ebe2a4ac71236f86f70349481d2b3dc784b > Tag: RELEASE-2.0.0-RC6 > > Which can be verified with the following: git tag -v RELEASE-2.0.0-RC6 > > My code signing key is available here: > http://pgp.mit.edu/pks/lookup?op=get&search=0xF2200BAB9AB7BDD5 > > and here: > https://dist.apache.org/repos/dist/dev/incubator/trafficcontrol/KEYS > > Make sure you refresh from a key server to get all relevant signatures. > > The source .tar.gz file, pgp signature (.asc signed with my key from > above), and md5 and sha512 checksums are provided here: > https://dist.apache.org/repos/dist/dev/incubator/trafficcontrol/2.0.0/RC6 > > > Docs are available here: https://trafficcontrol.apache.org/docs/2.0.x/ > > > The vote will remain open until Friday, June 21, 2017. > > > Thanks, > Eric Friedrich
