I think we should add a section to the release guide with all the checks we need to do to verify the release: * artifacts are signed * KEYS file present with key inside * check this bug of the gpg plugin * ...
On 9/24/07, Daniel Kulp <[EMAIL PROTECTED]> wrote: > > OK..... New issue (very minor).... > > Due to a bug in the GPG plugin (I have it fixed, am starting a new > release shortly), some of your asc files have the wrong name. Example: > > http://people.apache.org/~ffang/maven_staging_graduate/org/apache/servicemix/samples/loan-broker/loan-broker-lw-su/3.1.2/ > > loan-broker-lw-su-3.1.2-.zip.asc > should just be: > loan-broker-lw-su-3.1.2.zip.asc > Just rename it and you should be all set. > > Probably a find for "-." should find all of them. > > Dan > > > > On Monday 24 September 2007, Freeman Fang wrote: > > Hi Dan, > > > > You can find my public key from > > http://pgp.mit.edu:11371/pks/lookup?search=Freeman+Fang&op=vindex now, > > signed by Bo. > > Also I put it into KEYS. > > > > Since I generate new private and public key to sign and deploy it > > again, so to verify the signature, you need download the kit and its > > .asc again. > > > > Best Regards > > > > Freeman > > > > Daniel Kulp wrote: > > > On Friday 21 September 2007, Guillaume Nodet wrote: > > >> In theory, the public key should be in the web of trust. > > >> See http://people.apache.org/~henkp/trust/ > > > > > > Well, yes. But I need to see the key first to see if its been > > > signed by anyone. Right now, we cannot even get that far.... > > > > > > Freeman: I assume you are sitting pretty close to Bo. The two of > > > you should have a quick "key signing party" and get your keys > > > signed. Then get the public key into the public keyservers and into > > > the KEYS file. That would be a start (since Bo's key has been > > > signed by other apache folks). > > > > > > Dan > > > > > >> On 9/21/07, Daniel Kulp <[EMAIL PROTECTED]> wrote: > > >>> Minor issue: > > >>> Your GPG public key is not in the KEYS file. I also could not > > >>> find it in the public keyserver at pgp.mit.edu. Thus, I could > > >>> not verify the signatures. > > >>> > > >>> Dan > > >>> > > >>> Freeman Fang wrote: > > >>>> Hi All, > > >>>> > > >>>> I have uploaded a version of ServiceMix 3.1.2 for you to review. > > >>>> See > > >>>> http://cwiki.apache.org/confluence/display/SM/ServiceMix+3.1.2 > > >>>> for all the links and release notes. > > >>>> > > >>>> [ ] +1 Release ServiceMix 3.1.2 > > >>>> [ ] ± 0 > > >>>> [ ] -1 Do not release ServiceMix 3.1.2 > > >>>> > > >>>> Cheers > > >>>> > > >>>> Freeman > > >>> > > >>> -- > > >>> View this message in context: > > >>> http://www.nabble.com/-VOTE--Release-ServiceMix-3.1.2-tf4491617s12 > > > >>>04 9.html#a12824617 Sent from the ServiceMix - Dev mailing list > > >>> archive at Nabble.com. > > > > -- > J. Daniel Kulp > Principal Engineer > IONA > P: 781-902-8727 C: 508-380-7194 > [EMAIL PROTECTED] > http://www.dankulp.com/blog > -- Cheers, Guillaume Nodet ------------------------ Blog: http://gnodet.blogspot.com/
