Henk kindly pointed me to the KEYS file that I had missed, thank you.

So, +1.  I checked the signatures, the LICENSE, NOTICE, and DISCLAIMER
files.

Alan.

On Tue, Mar 13, 2018 at 10:42 AM, Alan Gates <alanfga...@gmail.com> wrote:

> Per https://www.apache.org/dev/release-distribution#sigs-and-sums
> correctly, the KEYS file is required, hence my comment.
>
> Alan.
>
> On Tue, Mar 13, 2018 at 10:34 AM, Henk P. Penning <penn...@uu.nl> wrote:
>
>> On Tue, 13 Mar 2018, Alan Gates wrote:
>>
>> Date: Tue, 13 Mar 2018 18:04:08 +0100
>>> From: Alan Gates <alanfga...@gmail.com>
>>> To: general@incubator.apache.org
>>> Subject: Re: [VOTE]: Apache HAWQ 2.3.0.0-incubating Release
>>>
>>> ‚ÄčI can't find a KEYS file anywhere in HAWQ to check the key
>>> against.  There is also no name associated with the key, so I'm not
>>> clear how to check the signature.
>>>
>>
>>   Actually, you don't need a KEYS file to verify a .asc :
>>
>>   % gpg apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
>>   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
>>   gpg:                using RSA key CE60F90D1333092A
>>   gpg: Can't check signature: No public key
>>
>>   No public key ; so, fetch it :
>>
>>   % gpg --keyserver pgp.surfnet.nl --recv-key CE60F90D1333092A
>>   gpg: requesting key CE60F90D1333092A from hkp server pgp.surfnet.nl
>>   gpg: key CE60F90D1333092A: public key "Yi Jin <y...@apache.org>"
>> imported
>>   gpg: Total number processed: 1
>>   gpg:               imported: 1  (RSA: 1)
>>
>>   ... and --verify :
>>
>>   % gpg --verify apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
>>   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
>>   gpg:                using RSA key CE60F90D1333092A
>>   gpg: Good signature from "Yi Jin <y...@apache.org>"
>>   gpg: WARNING: This key is not certified with a trusted signature!
>>   gpg:          There is no indication that the signature belongs to the
>> owner.
>>   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333
>> 092A
>>
>>   % gpg --verify apache-hawq-rpm-2.3.0.0-incubating-rc2.tar.gz.asc
>>   gpg: Signature made Tue 27 Feb 2018 04:38:53 AM CET
>>   gpg:                using RSA key CE60F90D1333092A
>>   gpg: Good signature from "Yi Jin <y...@apache.org>"
>>   gpg: WARNING: This key is not certified with a trusted signature!
>>   gpg:          There is no indication that the signature belongs to the
>> owner.
>>   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333
>> 092A
>>
>>   Note :
>>   - Always use long (16-hex) key-id's, because short (8-hex)
>>     key-id's often point (also) to fake keys.
>>     In your $HOME/.gnupg/gpg.conf configure : keyid-format long
>>   - To check that CE60F90D1333092A is authorised to sign the artifacts,
>>     is another matter.
>>
>>   IMHO, KEYS files serve no purpose.
>>
>>   Regards,
>>
>>   Henk Penning
>>
>> ------------------------------------------------------------   _
>> Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
>> Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
>> Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
>> http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl     \_/
>>
>> On Mon, Mar 12, 2018 at 7:56 PM, Roman Shaposhnik <ro...@shaposhnik.org>
>>> wrote:
>>>
>>> +1 (binding)
>>>>
>>>> * checked sigs and checksums
>>>> * checked licenses
>>>> * checked for archive matching git tag
>>>>
>>>> Thanks,
>>>> Roman.
>>>>
>>>>
>>>> On Mon, Mar 12, 2018 at 12:21 PM, Konstantin Boudnik <c...@apache.org>
>>>> wrote:
>>>>
>>>>> +1 [biding]
>>>>>
>>>>> - signature check [ok]
>>>>> - checksum check [ok]
>>>>> - licenses check (RAT) [ok]
>>>>>
>>>>> I haven't tried to build it because of the complexity of the build
>>>>> process and multiplicity of the environment configurations. To lower
>>>>> the entry barrier, I would recommend the community to think how to
>>>>> wrap these steps into the build system. You can go as far as to
>>>>> provide an "official" toolchain for the project. In Bigtop, we even
>>>>> provide official Docker containers were people can start working with
>>>>> the project in under 2 minutes and without any need for additional
>>>>> error prone configuration steps.
>>>>> --
>>>>>   With regards,
>>>>> Konstantin (Cos) Boudnik
>>>>> 2CAC 8312 4870 D885 8616  6115 220F 6980 1F27 E622
>>>>>
>>>>> Disclaimer: Opinions expressed in this email are those of the author,
>>>>> and do not necessarily represent the views of any company the author
>>>>> might be affiliated with at the moment of writing.
>>>>>
>>>>>
>>>>> On Tue, Mar 6, 2018 at 6:56 PM, Yi JIN <y...@apache.org> wrote:
>>>>>
>>>>>> Hi IPMC members,
>>>>>>
>>>>>> The PPMC vote for the Apache HAWQ 2.3.0.0-incubating release has
>>>>>> passed.
>>>>>> So I request IPMC now to vote on this release candidate. Thank you!
>>>>>>
>>>>>> The release page is here:
>>>>>> https://cwiki.apache.org/confluence/display/HAWQ/Apache+HAWQ+2.3.0.0-
>>>>>>
>>>>> incubating+Release
>>>>
>>>>>
>>>>>> The PPMC vote thread is located here:
>>>>>> https://lists.apache.org/thread.html/fa5b41cd7461bd729146e10d8f7a54
>>>>>>
>>>>> 156c818f93e5a1160c42e76c79@%3Cdev.hawq.apache.org%3E
>>>>
>>>>>
>>>>>> The artifacts can be downloaded here:
>>>>>> https://dist.apache.org/repos/dist/dev/incubator/hawq/2.3.0.
>>>>>>
>>>>> 0-incubating.RC2/
>>>>
>>>>> The artifacts have been signed with Key : CE60F90D1333092A
>>>>>>
>>>>>> All JIRAs completed for this release are tagged with 'FixVersion
>>>>>> =2.3.0.0-incubating'
>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>>>>>>
>>>>> version=12340262&styleName=Html&projectId=12318826
>>>>
>>>>>
>>>>>> Please vote accordingly:
>>>>>> [ ] +1, accept as the official Apache HAWQ 2.3.0.0-incubating release
>>>>>> [ ] -1, do not accept as the official Apache HAWQ 2.3.0.0-incubating
>>>>>>
>>>>> release
>>>>
>>>>> because...
>>>>>>
>>>>>> The vote will run for at least 72 hours.
>>>>>>
>>>>>> Best regards,
>>>>>> Yi Jin (yjin)
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>>>>> For additional commands, e-mail: general-h...@incubator.apache.org
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>>>> For additional commands, e-mail: general-h...@incubator.apache.org
>>>>
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>> For additional commands, e-mail: general-h...@incubator.apache.org
>>
>
>

Reply via email to