You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@stratos.apache.org by Suresh Marru <sm...@apache.org> on 2013/10/24 15:47:14 UTC
PPMC diligence is needed in Voting
Hi All,
I do not see any discussion on the release discuss thread. I have a question to the 9 PPMC votes, what all did you verify? It is a good practice to send them to the DISCUSS thread your testing process and what you found. For this release, there is an issue with the key trust, and the PPMC should have very well caught it if you spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
Lahiru,
I quickly tried to verify the signatures and I see this:
gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <la...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
I am sure you will raise some eye brows on the general vote. Can you get your key signed by existing Apache committers who are within Apache web of trust?
See [1] for explanation and mitigation about this warning.
Cheers,
Suresh
[1] - http://www.apache.org/info/verification.html
Re: PPMC diligence is needed in Voting
Posted by Lahiru Sandaruwan <la...@wso2.com>.
Hi Suresh,
Thanks for the feedback.
On Thu, Oct 24, 2013 at 7:17 PM, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread. I have a
> question to the 9 PPMC votes, what all did you verify? It is a good
> practice to send them to the DISCUSS thread your testing process and what
> you found. For this release, there is an issue with the key trust, and the
> PPMC should have very well caught it if you spent 5 minutes to verify the
> vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
>
Sure. will get my key verified by someone within Apache web of trust.
Thanks.
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: PPMC diligence is needed in Voting
Posted by Suresh Marru <sm...@apache.org>.
On Oct 24, 2013, at 10:02 AM, Lahiru Sandaruwan <la...@wso2.com> wrote:
> On Thu, Oct 24, 2013 at 7:17 PM, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread.
>
> Suresh,
>
> There is a [Discuss] thread for this release. Subject is "[Discuss] Release Apache Stratos 3.0.0 Incubating RC4.”
Lahiru,
Yes I did check that, but as you can see from it I can only see one verification - http://markmail.org/thread/rmjavimst73yennk
Without a corresponding discuss mail for each vote, I assume one of the following might have happened:
* I will vote because I trust Lahiru
* I verified previous RC, so probably this is also ok
* Its been too delayed, so lets get it out now
* I am always working on trunk and I know it works, so this RC is also probably ok
Rather I see a simple authoritative vote:
* I verified the following, so I am happy with these artifacts.
Suresh
>
> Thanks.
>
> I have a question to the 9 PPMC votes, what all did you verify? It is a good practice to send them to the DISCUSS thread your testing process and what you found. For this release, there is an issue with the key trust, and the PPMC should have very well caught it if you spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <la...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get your key signed by existing Apache committers who are within Apache web of trust?
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
>
>
>
> --
> --
> Lahiru Sandaruwan
> Software Engineer,
> Platform Technologies,
> WSO2 Inc., http://wso2.com
> lean.enterprise.middleware
>
> email: lahirus@wso2.com cell: (+94) 773 325 954
> blog: http://lahiruwrites.blogspot.com/
> twitter: http://twitter.com/lahirus
> linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
>
Re: PPMC diligence is needed in Voting
Posted by Lahiru Sandaruwan <la...@wso2.com>.
On Thu, Oct 24, 2013 at 7:17 PM, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread.
Suresh,
There is a [Discuss] thread for this release. Subject is "[Discuss] Release
Apache Stratos 3.0.0 Incubating RC4."
Thanks.
> I have a question to the 9 PPMC votes, what all did you verify? It is a
> good practice to send them to the DISCUSS thread your testing process and
> what you found. For this release, there is an issue with the key trust, and
> the PPMC should have very well caught it if you spent 5 minutes to verify
> the vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: PPMC diligence is needed in Voting
Posted by ant elder <an...@gmail.com>.
TBH I'm not sure this is considered such a big problem these days. I'd
noticed it when reviewing the release but we see it often with both
Incubator and TLP releases, i don't think anyone would try to hold up a
release for it.
...ant
On Thu, Oct 24, 2013 at 2:47 PM, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread. I have a
> question to the 9 PPMC votes, what all did you verify? It is a good
> practice to send them to the DISCUSS thread your testing process and what
> you found. For this release, there is an issue with the key trust, and the
> PPMC should have very well caught it if you spent 5 minutes to verify the
> vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
Re: PPMC diligence is needed in Voting
Posted by Lahiru Sandaruwan <la...@wso2.com>.
Hi all,
I got signed my key by Sagara. We also created a wiki page for verifying
instructions etc. and sent details to [Vote] mail itself.
Hope we are good to go for general list for IPMC vote.
Thanks all for the feedback and help.
Thanks.
On Fri, Oct 25, 2013 at 7:12 AM, Lahiru Sandaruwan <la...@wso2.com> wrote:
> Hi Noah,
>
> I'll post the listed information to VOTE email thread. Most probably i can
> get my key signed in next few hours.
>
> Thanks for the feedback.
>
>
> On Thu, Oct 24, 2013 at 9:18 PM, Noah Slater <ns...@apache.org> wrote:
>
>> What I would say is that the VOTE email *should* either include
>> instructions on how to test, or we should have a wiki page with
>> instructions how to test, and we should link to that.
>>
>> This page should, at a minimum, state:
>>
>> * How to download the source
>> * How to check the checksums
>> * How to check the GPG sig
>> * How to build the software
>> * How to verify the software works (Even if it's just "does it start up
>> without crashing? But tests are better...)
>>
>> Our download page should, of course, have instructions on how to check
>> both the checksums and the GPG sig.
>>
>> Compare:
>>
>> http://wiki.apache.org/couchdb/Test_procedure
>>
>> http://www.apache.org/dist/couchdb/
>>
>>
>>
>>
>> On 24 October 2013 17:39, Suresh Marru <sm...@apache.org> wrote:
>>
>>> Hi Noah,
>>>
>>> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote
>>> stand. But I am suggesting Lahiru to get his key signed and checked in
>>> before taking it to general.
>>>
>>> Suresh
>>>
>>> On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
>>>
>>> > "WARNING: This key is not certified with a trusted signature!"
>>> >
>>> > I don't think it was mentioned because this is a very standard
>>> warning. Release managers do not need to be in the GPG strong set, or even
>>> connected the to the web of trust. (Though it is certainly preferred.)
>>> >
>>> >
>>> > On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
>>> > Hi All,
>>> >
>>> > I do not see any discussion on the release discuss thread. I have a
>>> question to the 9 PPMC votes, what all did you verify? It is a good
>>> practice to send them to the DISCUSS thread your testing process and what
>>> you found. For this release, there is an issue with the key trust, and the
>>> PPMC should have very well caught it if you spent 5 minutes to verify the
>>> vote while not waiting for the mentors to catch it.
>>> >
>>> > Lahiru,
>>> >
>>> > I quickly tried to verify the signatures and I see this:
>>> >
>>> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID
>>> 44BBC719
>>> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
>>> lahirus@apache.org>"
>>> > gpg: WARNING: This key is not certified with a trusted signature!
>>> > gpg: There is no indication that the signature belongs to the
>>> owner.
>>> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB
>>> C719
>>> >
>>> > I am sure you will raise some eye brows on the general vote. Can you
>>> get your key signed by existing Apache committers who are within Apache web
>>> of trust?
>>> >
>>> > See [1] for explanation and mitigation about this warning.
>>> >
>>> > Cheers,
>>> > Suresh
>>> > [1] - http://www.apache.org/info/verification.html
>>> >
>>> >
>>> >
>>> > --
>>> > Noah Slater
>>> > https://twitter.com/nslater
>>> >
>>>
>>>
>>
>>
>> --
>> Noah Slater
>> https://twitter.com/nslater
>>
>>
>
>
> --
> --
> Lahiru Sandaruwan
> Software Engineer,
> Platform Technologies,
> WSO2 Inc., http://wso2.com
> lean.enterprise.middleware
>
> email: lahirus@wso2.com cell: (+94) 773 325 954
> blog: http://lahiruwrites.blogspot.com/
> twitter: http://twitter.com/lahirus
> linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
>
>
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: PPMC diligence is needed in Voting
Posted by Lahiru Sandaruwan <la...@wso2.com>.
Hi Noah,
I'll post the listed information to VOTE email thread. Most probably i can
get my key signed in next few hours.
Thanks for the feedback.
On Thu, Oct 24, 2013 at 9:18 PM, Noah Slater <ns...@apache.org> wrote:
> What I would say is that the VOTE email *should* either include
> instructions on how to test, or we should have a wiki page with
> instructions how to test, and we should link to that.
>
> This page should, at a minimum, state:
>
> * How to download the source
> * How to check the checksums
> * How to check the GPG sig
> * How to build the software
> * How to verify the software works (Even if it's just "does it start up
> without crashing? But tests are better...)
>
> Our download page should, of course, have instructions on how to check
> both the checksums and the GPG sig.
>
> Compare:
>
> http://wiki.apache.org/couchdb/Test_procedure
>
> http://www.apache.org/dist/couchdb/
>
>
>
>
> On 24 October 2013 17:39, Suresh Marru <sm...@apache.org> wrote:
>
>> Hi Noah,
>>
>> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote
>> stand. But I am suggesting Lahiru to get his key signed and checked in
>> before taking it to general.
>>
>> Suresh
>>
>> On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
>>
>> > "WARNING: This key is not certified with a trusted signature!"
>> >
>> > I don't think it was mentioned because this is a very standard warning.
>> Release managers do not need to be in the GPG strong set, or even connected
>> the to the web of trust. (Though it is certainly preferred.)
>> >
>> >
>> > On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
>> > Hi All,
>> >
>> > I do not see any discussion on the release discuss thread. I have a
>> question to the 9 PPMC votes, what all did you verify? It is a good
>> practice to send them to the DISCUSS thread your testing process and what
>> you found. For this release, there is an issue with the key trust, and the
>> PPMC should have very well caught it if you spent 5 minutes to verify the
>> vote while not waiting for the mentors to catch it.
>> >
>> > Lahiru,
>> >
>> > I quickly tried to verify the signatures and I see this:
>> >
>> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID
>> 44BBC719
>> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
>> lahirus@apache.org>"
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg: There is no indication that the signature belongs to the
>> owner.
>> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB
>> C719
>> >
>> > I am sure you will raise some eye brows on the general vote. Can you
>> get your key signed by existing Apache committers who are within Apache web
>> of trust?
>> >
>> > See [1] for explanation and mitigation about this warning.
>> >
>> > Cheers,
>> > Suresh
>> > [1] - http://www.apache.org/info/verification.html
>> >
>> >
>> >
>> > --
>> > Noah Slater
>> > https://twitter.com/nslater
>> >
>>
>>
>
>
> --
> Noah Slater
> https://twitter.com/nslater
>
>
--
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware
email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
Re: PPMC diligence is needed in Voting
Posted by Suresh Marru <sm...@apache.org>.
A big + 1 for having such instructions.
Regarding the key signing, I would in general agree that it takes weeks. But I suggest doing this now as a good practice since this is an exceptional one of situation. Stratos PPMC has a fleet of Apache Members and where the current RM works has significant number of ASF committers potentially in the same building.
Suresh
On Oct 24, 2013, at 11:48 AM, Noah Slater <ns...@apache.org> wrote:
> What I would say is that the VOTE email *should* either include instructions on how to test, or we should have a wiki page with instructions how to test, and we should link to that.
>
> This page should, at a minimum, state:
>
> * How to download the source
> * How to check the checksums
> * How to check the GPG sig
> * How to build the software
> * How to verify the software works (Even if it's just "does it start up without crashing? But tests are better...)
>
> Our download page should, of course, have instructions on how to check both the checksums and the GPG sig.
>
> Compare:
>
> http://wiki.apache.org/couchdb/Test_procedure
>
> http://www.apache.org/dist/couchdb/
>
>
>
>
> On 24 October 2013 17:39, Suresh Marru <sm...@apache.org> wrote:
> Hi Noah,
>
> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote stand. But I am suggesting Lahiru to get his key signed and checked in before taking it to general.
>
> Suresh
>
> On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
>
> > "WARNING: This key is not certified with a trusted signature!"
> >
> > I don't think it was mentioned because this is a very standard warning. Release managers do not need to be in the GPG strong set, or even connected the to the web of trust. (Though it is certainly preferred.)
> >
> >
> > On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
> > Hi All,
> >
> > I do not see any discussion on the release discuss thread. I have a question to the 9 PPMC votes, what all did you verify? It is a good practice to send them to the DISCUSS thread your testing process and what you found. For this release, there is an issue with the key trust, and the PPMC should have very well caught it if you spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
> >
> > Lahiru,
> >
> > I quickly tried to verify the signatures and I see this:
> >
> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <la...@apache.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
> >
> > I am sure you will raise some eye brows on the general vote. Can you get your key signed by existing Apache committers who are within Apache web of trust?
> >
> > See [1] for explanation and mitigation about this warning.
> >
> > Cheers,
> > Suresh
> > [1] - http://www.apache.org/info/verification.html
> >
> >
> >
> > --
> > Noah Slater
> > https://twitter.com/nslater
> >
>
>
>
>
> --
> Noah Slater
> https://twitter.com/nslater
>
Re: PPMC diligence is needed in Voting
Posted by Noah Slater <ns...@apache.org>.
What I would say is that the VOTE email *should* either include
instructions on how to test, or we should have a wiki page with
instructions how to test, and we should link to that.
This page should, at a minimum, state:
* How to download the source
* How to check the checksums
* How to check the GPG sig
* How to build the software
* How to verify the software works (Even if it's just "does it start up
without crashing? But tests are better...)
Our download page should, of course, have instructions on how to check both
the checksums and the GPG sig.
Compare:
http://wiki.apache.org/couchdb/Test_procedure
http://www.apache.org/dist/couchdb/
On 24 October 2013 17:39, Suresh Marru <sm...@apache.org> wrote:
> Hi Noah,
>
> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote
> stand. But I am suggesting Lahiru to get his key signed and checked in
> before taking it to general.
>
> Suresh
>
> On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
>
> > "WARNING: This key is not certified with a trusted signature!"
> >
> > I don't think it was mentioned because this is a very standard warning.
> Release managers do not need to be in the GPG strong set, or even connected
> the to the web of trust. (Though it is certainly preferred.)
> >
> >
> > On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
> > Hi All,
> >
> > I do not see any discussion on the release discuss thread. I have a
> question to the 9 PPMC votes, what all did you verify? It is a good
> practice to send them to the DISCUSS thread your testing process and what
> you found. For this release, there is an issue with the key trust, and the
> PPMC should have very well caught it if you spent 5 minutes to verify the
> vote while not waiting for the mentors to catch it.
> >
> > Lahiru,
> >
> > I quickly tried to verify the signatures and I see this:
> >
> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID
> 44BBC719
> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> owner.
> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB
> C719
> >
> > I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
> >
> > See [1] for explanation and mitigation about this warning.
> >
> > Cheers,
> > Suresh
> > [1] - http://www.apache.org/info/verification.html
> >
> >
> >
> > --
> > Noah Slater
> > https://twitter.com/nslater
> >
>
>
--
Noah Slater
https://twitter.com/nslater
Re: PPMC diligence is needed in Voting
Posted by Noah Slater <ns...@apache.org>.
I think that is a too stringent requirement. Getting a key signed can take
weeks or months, depending on where you live and how easy it is to attend a
key-signing party.
As long as his key is in the KEYS file, and the KEYS file is hosted on ASF
infrastructure, we are good here.
Getting his key signed by other people in the community is a *good thing*
and he should do it (we all should) if and when he has a chance. But it
should not block anything. :)
On 24 October 2013 17:39, Suresh Marru <sm...@apache.org> wrote:
> Hi Noah,
>
> Agreed, thats why I am not voting a -1 and letting the PPMC passed vote
> stand. But I am suggesting Lahiru to get his key signed and checked in
> before taking it to general.
>
> Suresh
>
> On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
>
> > "WARNING: This key is not certified with a trusted signature!"
> >
> > I don't think it was mentioned because this is a very standard warning.
> Release managers do not need to be in the GPG strong set, or even connected
> the to the web of trust. (Though it is certainly preferred.)
> >
> >
> > On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
> > Hi All,
> >
> > I do not see any discussion on the release discuss thread. I have a
> question to the 9 PPMC votes, what all did you verify? It is a good
> practice to send them to the DISCUSS thread your testing process and what
> you found. For this release, there is an issue with the key trust, and the
> PPMC should have very well caught it if you spent 5 minutes to verify the
> vote while not waiting for the mentors to catch it.
> >
> > Lahiru,
> >
> > I quickly tried to verify the signatures and I see this:
> >
> > gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID
> 44BBC719
> > gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> owner.
> > Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB
> C719
> >
> > I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
> >
> > See [1] for explanation and mitigation about this warning.
> >
> > Cheers,
> > Suresh
> > [1] - http://www.apache.org/info/verification.html
> >
> >
> >
> > --
> > Noah Slater
> > https://twitter.com/nslater
> >
>
>
--
Noah Slater
https://twitter.com/nslater
Re: PPMC diligence is needed in Voting
Posted by Suresh Marru <sm...@apache.org>.
Hi Noah,
Agreed, thats why I am not voting a -1 and letting the PPMC passed vote stand. But I am suggesting Lahiru to get his key signed and checked in before taking it to general.
Suresh
On Oct 24, 2013, at 10:20 AM, Noah Slater <ns...@apache.org> wrote:
> "WARNING: This key is not certified with a trusted signature!"
>
> I don't think it was mentioned because this is a very standard warning. Release managers do not need to be in the GPG strong set, or even connected the to the web of trust. (Though it is certainly preferred.)
>
>
> On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread. I have a question to the 9 PPMC votes, what all did you verify? It is a good practice to send them to the DISCUSS thread your testing process and what you found. For this release, there is an issue with the key trust, and the PPMC should have very well caught it if you spent 5 minutes to verify the vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <la...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get your key signed by existing Apache committers who are within Apache web of trust?
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
>
>
>
> --
> Noah Slater
> https://twitter.com/nslater
>
Re: PPMC diligence is needed in Voting
Posted by Noah Slater <ns...@apache.org>.
"WARNING: This key is not certified with a trusted signature!"
I don't think it was mentioned because this is a very standard warning.
Release managers do not need to be in the GPG strong set, or even connected
the to the web of trust. (Though it is certainly preferred.)
On 24 October 2013 15:47, Suresh Marru <sm...@apache.org> wrote:
> Hi All,
>
> I do not see any discussion on the release discuss thread. I have a
> question to the 9 PPMC votes, what all did you verify? It is a good
> practice to send them to the DISCUSS thread your testing process and what
> you found. For this release, there is an issue with the key trust, and the
> PPMC should have very well caught it if you spent 5 minutes to verify the
> vote while not waiting for the mentors to catch it.
>
> Lahiru,
>
> I quickly tried to verify the signatures and I see this:
>
> gpg: Signature made Tue Oct 15 05:59:28 2013 EDT using RSA key ID 44BBC719
> gpg: Good signature from "Lahiru Sandaruwan (Opensource GPG key) <
> lahirus@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 7746 771D C310 AC50 4A12 CAE9 B01D E39C 44BB C719
>
> I am sure you will raise some eye brows on the general vote. Can you get
> your key signed by existing Apache committers who are within Apache web of
> trust?
>
> See [1] for explanation and mitigation about this warning.
>
> Cheers,
> Suresh
> [1] - http://www.apache.org/info/verification.html
--
Noah Slater
https://twitter.com/nslater