---------- Forwarded message --------- 发件人: 张铎(Duo Zhang) <palomino...@gmail.com> Date: 2022年6月5日周日 16:36 Subject: Re: [VOTE] Release Apache NuttX (Incubating) 10.3.0 [RC2] To: <gene...@incubator.apache.org>
I could verify the gpg signature gpg --verify apache-nuttx-10.3.0-incubating.tar.gz.asc > gpg: 假定被签名的数据在‘apache-nuttx-10.3.0-incubating.tar.gz’ > gpg: 签名建立于 2022年05月05日 星期四 15时40分00秒 CST > gpg: 使用 RSA 密钥 FAFEEA08ABE09A8F060D984CA57CE1279F1E7328 > gpg: 完好的签名,来自于 “Alin Jerpelea (CODE SIGNING KEY) <jerpe...@apache.org>” > [未知] > gpg: 警告:此密钥未被受信任签名认证! > gpg: 没有证据表明此签名属于其声称的所有者。 > 主密钥指纹: FAFE EA08 ABE0 9A8F 060D 984C A57C E127 9F1E 7328 But the key FAFEEA08ABE09A8F060D984CA57CE1279F1E7328 is not in the current KEYS file. I guess it was in the KEYS file in the past so I imported in the past. Please update the KEYS file to add it back Alin, usually we should not delete keys from the KEYS file, especially when we are still using the key to sign artifacts. And on the DISCLAIMER, I used to think if we can fix all the license problems then we can remove it. Will tell the community to add it back, and remove it once NuttX becomes a TLP. Thanks Justin. Justin Mclean <jus...@classsoftware.com> 于2022年6月5日周日 10:16写道: > Hi, > > Sorry for the delay in checking the but I am also -1 binding as I can’t > verify the signature and teh disclaimer is missing. > > I checked: > - incubating in name > - while sha512 is correct it looks like the signature is missing from the > KEYS file > - DISCLAIMER is missing > - LICENSE looks fine (but I didn’t;t do a comprehensive check) > - NOTICE need it’s year updated > - No unexpected binary files > - ASF files have ASF headers > > Kind Regards, > Justin > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
