> Please use the official URL for KEYS: > https://downloads.apache.org/incubator/pekko/KEYS > This says that the KEYS file can be obtained from the source archive.
> This is totally insecure. > Anyone could create their own key and add it to the KEYS file in their own version of the source. > The KEYS file should not be included in the source, and documentation should only refer to fetching the KEYS file directly from the official location. Apologies, we have an email template that is used and evidently it needs to be updated which I have just done[1] 1: https://github.com/apache/incubator-pekko-site/wiki/Pekko-Release-Process/_compare/74fb418670e2524f5765e1155c63b7244e2b2669 Thanks, Matthew de Detrich On Sat, Mar 9, 2024 at 10:44 AM sebb <seb...@gmail.com> wrote: > On Sat, 9 Mar 2024 at 09:01, Matthew de Detrich > <matthew.dedetr...@aiven.io.invalid> wrote: > > > > Hello Incubator Community, > > > > This is a call for a vote to release Apache Pekko(incubating) Sbt Paradox > > version 1.0.1-RC2. > > > > The discussion thread: > > > > https://lists.apache.org/thread/8wp7h76dktr99hz6lrclmz7z5or19kdn > > > > The Pekko vote thread: > > > > https://lists.apache.org/thread/vmxqly8ttsrq82czpcpto34zgk2ndl7x > > > > The Pekko vote result: > > > > https://lists.apache.org/thread/405ph9bl73zm5rf96p6yp7dcf2tthqc6 > > > > The release candidate: > > > > > https://dist.apache.org/repos/dist/dev/incubator/pekko/SBT-PARADOX-1.0.1-RC2/ > > > > This release has been signed with a PGP key, available here: > > > > https://dist.apache.org/repos/dist/release/incubator/pekko/KEYS > > Please use the official URL for KEYS: > > https://downloads.apache.org/incubator/pekko/KEYS > > > Purpose: > > > > This is a build tool used in Apache Pekko projects to build the web > pages. > > > > Git branch for the release: > > > > > https://github.com/apache/incubator-pekko-sbt-paradox/releases/tag/v1.0.1-RC2 > > Git commit ID: 810043faf10780020a6742b0c2af5dde83dfd628 > > > > Please download, verify, and test. > > > > We have also staged jars in the Apache Nexus Repository. These were > > built with the same code as appears in this Source Release Candidate. We > > would appreciate if users could test with these too. > > If anyone finds any serious problems with these jars, please also notify > us > > on this thread. > > > > https://repository.apache.org/content/groups/staging/org/apache/pekko/ > > > > In sbt, you can add this resolver. > > > > resolvers += "Apache Pekko Staging" at " > > https://repository.apache.org/content/groups/staging"; > > > > The vote will be left open for at least 72 hours. > > > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > To learn more about Apache Pekko, please see https://pekko.apache.org/ > > > > Checklist for reference: > > > > [ ] Download links are valid. > > [ ] Checksums and signatures. > > [ ] LICENSE/NOTICE files exist > > [ ] No unexpected binary files > > [ ] Source files have ASF headers > > [ ] Can compile from source > > > > To compile from the source, please refer to: > > > > > https://github.com/apache/incubator-pekko-http/blob/main/README.md#building-from-source > > > > Some notes about verifying downloads can be found at: > > > > https://pekko.apache.org/download.html#verifying-downloads > > This says that the KEYS file can be obtained from the source archive. > > This is totally insecure. > > Anyone could create their own key and add it to the KEYS file in their > own version of the source. > > The KEYS file should not be included in the source, and documentation > should only refer to fetching the KEYS file directly from the official > location. > > > > Here is my +1 (binding). > > > > Thanks, > > Matthew de Detrich > > > > -- > > > > Matthew de Detrich > > > > *Aiven Deutschland GmbH* > > > > Immanuelkirchstraße 26, 10405 Berlin > > > > Alexanderufer 3-7, 10117 Berlin > > > > Amtsgericht Charlottenburg, HRB 209739 B > > > > Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > > > > *m:* +491603708037 > > > > *w:* aiven.io *e:* matthew.dedetr...@aiven.io > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Alexanderufer 3-7, 10117 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* matthew.dedetr...@aiven.io
