sorry for the noise & being probably paranoid here, but I've once had to deal with compromized source code (proftpd) and I promised myself to cross check as much as I can ...
On 11/17/2015 06:35 PM, John Kinsella wrote: > Thanks. > > Rohit’s out sick, but I’ve reached out to coworkers to see when we can get > that straightened out. I’m confident it’s not a security risk, but will > update once we can confirm that. > > John > >> On Nov 17, 2015, at 9:12 AM, Udo Rader <list...@bestsolution.at> wrote: >> >> created a jira issue for this >> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ... >> >> On 11/17/2015 12:58 AM, John Kinsella wrote: >>> Rohit - looks like your key isn’t in >>> https://dist.apache.org/repos/dist/release/cloudstack/KEYS ? >>> >>> On Nov 16, 2015, at 3:43 PM, Udo Rader >>> <list...@bestsolution.at<mailto:list...@bestsolution.at>> wrote: >>> >>> Hi, >>> >>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the >>> download using gpg, but gpg tells me that the used key is unknown: >>> >>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc >>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2' >>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID >>> 0EE3D884 >>> gpg: Can't check signature: public key not found >>> >>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or >>> am I missing something? >>> >>> Regards >>> >>> Udo >>> >
