On Dec 20, 2007, at 1:34 PM, Frank Barnaby wrote:
On Dec 20, 2007, at 15:50, Frank Barnaby wrote:On Dec 20, 2007, at 12:59, Craig L Russell wrote:Hi, I had a brief look at the release, and huge progress is evident.RAT had nothing but good things to say about both the src and bin release packages. As we discussed earlier, the .css, .mf, and package-list files should probably be reported as RAT issues since we might assume that there is no IP of significance there.The signatures check out, with only a mild warning:gpg: Good signature from "Frank Barnaby (CODE SIGNING KEY) <[EMAIL PROTECTED]>"gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.I noticed that too and have been working on it. I've already edited my key to "trust" myself and have uploaded the key to a public key-server. I've also been reading up on webs of trust, so I should have the trust issue ironed out soon enough.This just means that Frank should endeavor to have his key signed by some trusted folks in Apache. This is not an issue for an incubating release, just something to work on.I assisted Jim H. create a key and then sign my key. My local testing shows no more warnings, but it would be helpful to have someone else verify.
I downloaded your key and it does show some signing activity but still get the warning.
[Bruiser:~/Downloads] clr% gpg --recv-keys 75E20239 7DDF5B95 86124FBC gpg: requesting key 75E20239 from hkp server subkeys.pgp.net gpg: requesting key 7DDF5B95 from hkp server subkeys.pgp.net gpg: requesting key 86124FBC from hkp server subkeys.pgp.net gpgkeys: key 75E20239 not found on keyserver gpg: key 7DDF5B95: "Jim Hurley <[EMAIL PROTECTED]>" not changed gpg: key 86124FBC: "Frank Barnaby <[EMAIL PROTECTED]>" 1 new user IDgpg: key 86124FBC: "Frank Barnaby <[EMAIL PROTECTED]>" 6 new signatures
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 54 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 54 signed: 21 trust: 0-, 24q, 0n, 0m, 30f, 0u gpg: depth: 2 valid: 16 signed: 6 trust: 0-, 13q, 0n, 0m, 3f, 0u gpg: next trustdb check due at 2009-03-23 gpg: Total number processed: 2 gpg: unchanged: 1 gpg: new user IDs: 1 gpg: new signatures: 6[Bruiser:~/Downloads] clr% gpg --verify apache-river-2.1.1-incubating- src.zip.asc gpg: Signature made Wed Dec 19 13:24:12 2007 PST using RSA key ID 86124FBC
gpg: Good signature from "Frank Barnaby <[EMAIL PROTECTED]>"gpg: aka "Frank Barnaby (CODE SIGNING KEY) <[EMAIL PROTECTED]>"
gpg: aka "Frank Barnaby <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D074 AD05 445C 34DD 04AE B682 19A2 FF47 8612 4FBC
So key 75E20239 hasn't been uploaded to the key server yet. And despite your key being signed by Jim, that apparently isn't a trusted signature.
And you're now beyond my limited security knowledge. Except to point out again that nothing we're talking about here is germane to releasing the software from the incubator.
As you know, the next step (after verifying that the software actually does something useful) is to ask for a release vote on river- dev and if that's successful, to get the incubator to vote to release.
Craig
Frank
Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
