On 6 October 2014 17:56, Gary Gregory <garydgreg...@gmail.com> wrote:
> I was about to plus 1 the release when I looked at the asc file and I am
> likely confusing myself. I:
>
> - Downloaded: https://www.apache.org/dist/commons/KEYS
> - Ran (just to get the latest): gpg --import KEYS
> - Ran: gpg --verify commons-compress-1.9-src.zip.asc
>
> and got:
>
> gpg: Signature made 10/06/14 00:52:35 using DSA key ID 5F6B8B72
> gpg: Good signature from "Stefan Bodewig <bode...@apache.org>"
> gpg:                 aka "Stefan Bodewig <stefan.bode...@freenet.de>"
> gpg:                 aka "Stefan Bodewig <ste...@samaflost.de>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.

This is normal.

Anyone can produce a keypair and sign it with any details they want.

You need to decide whether you trust the key file that you downloaded
actually belongs to the person you expect.

Ideally one meets with the person and you exchange key finger prints.

However you may wish to trust that the key in the KEYS file in SVN was
added by the owner or is otherwise OK.

> Primary key fingerprint: CE80 75A2 5154 7BEE 249B  C151 A211 5AE1 5F6B 8B72
>
> which I am surprised since other messages on this list seem to say that
> while the key used is "weak"/not-long-enough, it is old and "trusted".
>
> I am using gpg (GnuPG) 1.4.11 on Windows.
>
> Please inform...

Read up about the WOT (Web of Trust).

> Thank you,
> Gary
>
> On Mon, Oct 6, 2014 at 1:12 AM, Stefan Bodewig <bode...@apache.org> wrote:
>
>> Hi all,
>>
>> nothing big this time but a few accumulated bug fixes and support for
>> raw DEFLATE streams.
>>
>>   Compress 1.9 RC1 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/compress/
>>     (svn revision 6728)
>>
>>   Maven artifacts are here:
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1049/org/apache/commons/commons-compress/1.9/
>>
>>   Details of changes since 1.8.1 are in the release notes:
>>
>> https://dist.apache.org/repos/dist/dev/commons/compress/RELEASE-NOTES.txt
>>     http://people.apache.org/~bodewig/COMPRESS-1.9-RC1/changes-report.html
>>
>>   The tag is here:
>>
>> http://svn.apache.org/repos/asf/commons/proper/compress/tags/COMPRESS-1.9-RC1/
>>     (svn revision 1629571)
>>
>>   Site:
>>     http://people.apache.org/~bodewig/COMPRESS-1.9-RC1/
>>   (the 1.9 Javadoc link doesn't work and I'll regenerate the site with
>>     the proper release date once the vote has been accepted)
>>
>>   Clirr Report (compared to 1.8.1):
>>     http://people.apache.org/~bodewig/COMPRESS-1.9-RC1/clirr-report.html
>>
>>   RAT Report:
>>     http://people.apache.org/~bodewig/COMPRESS-1.9-RC1/rat-report.html
>>
>>   KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>>   Please review the release candidate and vote.
>>   This vote will close no sooner that 72 hours from now, i.e. after 0530
>>   GMT 09-October 2014
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>>
>>   Thanks!
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
>
>
> --
> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
> Java Persistence with Hibernate, Second Edition
> <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to