On Fri, Sep 12, 2003 at 09:37:09PM -0400, Shane Curcuru wrote: > Is it just me, or don't we have a policy that all software distributions > should be PGP/GPG or equivalently signed with the release manager's key? > 8-) > > Admittedly, plus points to Forrest and Xindice since they've already moved > their distributions to the mirroring system at > www.apache.org/dist/xml/[subproject]. But I'd really like to see future > releases also get signed before they're put on the distro site.
The latest Forrest 0.5 release has been signed: -bash-2.05b$ pwd /www/www.apache.org/dist/xml/forrest -bash-2.05b$ pgp < KEYS ... ... -bash-2.05b$ pgp apache-forrest-current-bin.tar.gz.asc apache-forrest-current-bin.tar.gz Pretty Good Privacy(tm) Version 6.5.8 Internal development version only - not for general release. (c) 1999 Network Associates Inc. Export of this software may be restricted by the U.S. government. File 'apache-forrest-current-bin.tar.gz.asc' has signature, but with no text. Text is assumed to be in file 'apache-forrest-current-bin.tar.gz'. Good signature from user "Jeff Turner <[EMAIL PROTECTED]>". Signature made 2003/09/13 04:42 GMT WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Jeff Turner <[EMAIL PROTECTED]>". --Jeff > > Thanks, > Shane > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
