On 1/10/17, 12:29 AM, "Justin Mclean" <jus...@classsoftware.com> wrote:
> >> I don't know where it says that you have to compile the artifacts on >>your >> own machine. > >Here for one [1]. Note that verification in this context means checking >the source release matches with what’s in the version control. Hmm. I interpret that to mean that I can diff an archive generated elsewhere to verify it, then sign it from my machine. > >Thanks, >Justin > >1. http://www.apache.org/dev/release.html#owned-controlled-hardware
