Hi Andrea, Am 05.11.18 um 00:07 schrieb Andrea Pescetti: > On 31/10/2018 Marcus wrote: >> To make it an official vote I miss the following information: >> - What exactly do we vote for (link to the source and binaries)? > > Yes please, let's try to be reasonably serious about releases: due to > legal implications (among other things), there are some formalities > that are required; nothing more than what we did for any other Release > Candidate in history. > > I assume we are voting on (this is the only 4.1.6-RC1 available, but > it needs to be recorded in the vote discussion!) > https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/ > >> - What is the time for the vote? Please more than just the normal 72 >> hours so that we all can use a weekend for more testing. > > Elsewhere Peter mentioned until Wednesday 7 November but again this > should be in the vote thread (so, here). > > And most important: the Release Manager (Peter) must sign the source > files. I've just spent a lot of time trying to make sense of various > ways to have multiple signature in one file, concluding that it is > easy to do that for a binary signature, but it is a hack to do so for > the ASCII-armored signatures we use. > > So, in short, Peter as the Release Manager should rectify things by: > > 1) Confirming that the URL and deadline above are correct > > 2) Replace, before the vote ends, current signatures with only his > signature as follows: > > $ svn checkout > https://dist.apache.org/repos/dist/dev/openoffice/4.1.6-RC1/source > $ rm *.asc > $ gpg -a -b --digest-algo=SHA512 *.bz2 > $ gpg -a -b --digest-algo=SHA512 *.gz > $ gpg -a -b --digest-algo=SHA512 *.zip > $ svn commit > > About this second item, I see that Matthias concatenated his signature > to Jim's one: this is possible for the binary format but GPG will > complain if this is done for the ASCII format, and as you can see by > searching the net there is no clean way to do it. I checked back in > version 4.1.2 (that was signed by Juergen and me) and I found out that > I had simply replaced Juergen's signature with mine in that case (I > was the Release Manager for 4.1.2). We can do the same this time.
I found double signatures in 4.1.3: https://archive.apache.org/dist/openoffice/4.1.3/source/apache-openoffice-4.1.3-r1761381-src.zip.asc But yes, GPG complains about it and will only verify the first. So Peter's signature should be the only one... (Of course he could also use our hash-sign.sh, which is fixed now for SHA512). Regards, Matthias > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org >
smime.p7s
Description: S/MIME Cryptographic Signature
