[RESULT][VOTE] Release of Apache Tamaya 0.4-incubating, RC2

[Anatole Tresch <at...@gmail.com>]

This vote has been closed with no.
As mentioned earlier, we have to build a third RC due to outdated certs
used. Stay tuned...

Am Di., 27. Aug. 2019 um 20:46 Uhr schrieb Aaron Coburn <
aaron.coburn@gmail.com>:

> Thanks so much for cutting the second release candidate. The source looks
> great (no SNAPSHOT dependencies); I was able to successfully compile and
> test the code. And I was able to successfully use the CDI and Microprofile
> extensions in an external project.
>
> I'd give a +1, but there are two issues I found with the artifacts in the
> distribution area.
>
> First, I believe the .tar.gz and .zip files should have a corresponding
> sha512 checksum (there are no checksum files in
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/apiandcore/
>  or
>
> https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/extensions/
> )
>
> Second, I had some difficulty validating the signatures on the files
> themselves. I can import the KEYS file fine:
>
> $ gpg --import KEYS
>
> But the key used to sign these artifacts doesn't seem to be contained in
> that KEYS file. That is, Anatole's public key in the KEYS file has this
> signature: 2791 0BA2 1336 D3E6, but the key used to sign the files is 5B38
> A3EA FE9D 018B. I was able to find that key on a public keyserver, and it
> is registered to anatole@apache.org, but it has also been revoked:
>
> $ gpg --verify apache-tamaya-distribution-0.4-incubating-src.tar.gz.asc
> apache-tamaya-distribution-0.4-incubating-src.tar.gz
> gpg: Signature made Mon Aug 26 18:12:12 2019 EDT
> gpg:                using RSA key 754A1B93C9D5D553482A6FAE5B38A3EAFE9D018B
> gpg: Good signature from "Anatole Tresch <an...@apache.org>" [unknown]
> gpg: WARNING: This key has been revoked by its owner!
> gpg:          This could mean that the signature is forged.
> gpg: reason for revocation: Key is superseded
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 754A 1B93 C9D5 D553 482A  6FAE 5B38 A3EA FE9D 018B
>
> (That key is, in fact, older than the one listed in the KEYS file)
>
> Maybe Julian can advise on whether these are blockers for a release.
>
> Cheers,
> Aaron
>
> On Tue, 27 Aug 2019 at 03:21, Anatole Tresch <at...@gmail.com> wrote:
>
> > Hi,
> >
> > I was running the needed tasks to get the 0.4-incubating release of
> Tamaya
> > out.
> > The artifacts available via the Apache distribution repository [1] and
> > also via Apache's Nexus [2].
> >
> > The tag for this release candidate is available at [3] and will be
> renamed
> > once the vote passed.
> > Please take a look at the artifacts and vote!
> >
> > Please note:
> > This vote is a "majority approval" with a minimum of three +1 votes (see
> > [4]).
> >
> > ------------------------------------------------
> > [ ] +1 for community members who have reviewed the bits
> > [ ] +0
> > [ ] -1 for fatal flaws that should cause these bits not to be released,
> and
> > why ...
> > ------------------------------------------------
> >
> > Thanks,
> > Anatole Tresch
> >
> > [1]
> > https://dist.apache.org/repos/dist/dev/incubator/tamaya/0.4-incubating/
> >
> > [2]
> > https://repository.apache.org/content/repositories/orgapachetamaya-1037
> > [3]
> >
> >
> https://gitbox.apache.org/repos/asf?p=incubator-tamaya.git;a=commit;h=d2d60786e3e72a2bb16e14e1b195f7b2487a33eb
> > [4] http://www.apache.org/foundation/voting.html#ReleaseVotes
> >
> >
> >
> > --
> > *Anatole Tresch*
> > PPMC Member Apache Tamaya
> > JCP Star Spec Lead
> > *Switzerland, Europe Zurich, GMT+1*
> > *maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
> > *Twitter:  @atsticks, @tamayaconf*
> >
>


-- 
*Anatole Tresch*
PPMC Member Apache Tamaya
JCP Star Spec Lead
*Switzerland, Europe Zurich, GMT+1*
*maketechsimple.wordpress.com <http://maketechsimple.wordpress.com/> *
*Twitter:  @atsticks, @tamayaconf*