serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Zhakov <i...@visualsvn.com>
Subject Re: [Vote] Apache Serf 1.3.9 up for signing/testing
Date Wed, 31 Aug 2016 12:34:57 GMT
On 31 August 2016 at 15:29, Bert Huijben <bert@qqmail.nl> wrote:
>> -----Original Message-----
>> From: justin.erenkrantz@gmail.com [mailto:justin.erenkrantz@gmail.com] On
>> Behalf Of Justin Erenkrantz
>> Sent: woensdag 31 augustus 2016 14:04
>> To: Bert Huijben <bert@qqmail.nl>
>> Cc: dev@serf.apache.org
>> Subject: Re: [Vote] Apache Serf 1.3.9 up for signing/testing
>>
>> On Wed, Aug 31, 2016 at 8:02 AM, Bert Huijben <bert@qqmail.nl> wrote:
>> > If you still want to add your signature, please commit them to
>> > https://dist.apache.org/repos/dist/release/serf
>>
>> I don't know what the process for doing that is any more.  Any
>> pointers?  -- justin
>
>         Hi Justin,
>
> This is the first time we did this for serf, so I just used the method we used for Subversion
for several years.
> http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
>
> The usual procedure is a checkout of https://dist.apache.org/repos/dist/dev/serf, which
gets you the artifacts and .asc files
>
> I scripted the signing for myself by calling
> $ gpg -ba -o - "$file" >> "$file.asc"
> '-b' is for a detached signature
> '-a' is for an ascii signature
> '-o -' sends the output to stdout, which allows the forwarding with >>
>
> Committing the .asc files back stores them in the staging area... but I just copied them
from there to the release area ^/release/serf. But PMC members can just add the keys to the
.asc files there.
>
>
> We currently have 3 signatures, so we have everything we need for
> our first proper ASF release tomorrow, but of course it will be useful
> if more developers know how to provide the signatures.
>
Hi Bert,

I noticed that other ASF projects publish .asc files only with one
signature. See httpd-2.2.31.tar.gz.asc for example [1]. Also GPG
checks only first signature and I'm getting warning like below if .asc
file has multiple signatures:
[[
gpg: WARNING: multiple signatures detected.  Only the first will be checked.
]]

[1] https://www.apache.org/dist/httpd/httpd-2.2.31.tar.gz.asc


-- 
Ivan Zhakov

Mime
View raw message