On 08/06/18 10:45, Rainer Jung wrote: > Some early observations, at least the broken signature needs fixing: > > - previously sources where in a download folder named "source", now they > are in "sources" (plural form).
fixed. > > - sha1 and sha512 checksums not there, only md5. 1.2.16 had all three fixed. > > - file sources/tomcat-native-1.2.17-win32-src.zip.asc has a bad pgp > signature: > > gpg: assuming signed data in `tomcat-native-1.2.17-win32-src.zip' > gpg: Signature made June 7, 2018 1:36:05 PM CEST > gpg: using RSA key ED3873F5D3262722 > gpg: BAD signature from "Jean-Frederic Clere (Apache signing key) > <jfcl...@apache.org>" > > Other signatures are OK, so please check integrity of the file > tomcat-native-1.2.17-win32-src.zip and fix either this file or the asc > file. Fixed: +++ [jfclere@dhcp-144-173 1.2.17]$ gpg --verify source/tomcat-native-1.2.17-win32-src.zip.asc gpg: assuming signed data in `source/tomcat-native-1.2.17-win32-src.zip' gpg: Signature made Fri 08 Jun 2018 16:03:14 CEST using RSA key ID D3262722 gpg: Good signature from "Jean-Frederic Clere (Apache signing key) <jfcl...@apache.org>" +++ > > - when I extract the zip sources on Unix, I get all dirs and files with > group write permission. That sounds unsafe. It wasn't like that for 1.2.16. umask 0022 hm no idea why the umask on my fedora27, minor, correct? > > - OpenSSL used according to VERSIONS file is 1.0.2m, shouldn't it be > 1.0.2o? I wasn't sure to update it, does that block your vote? https://www.openssl.org/news/vulnerabilities.html Cheers Jean-Frederic > > Regards, > > Rainer > > Am 07.06.2018 um 17:50 schrieb jean-frederic clere: >> Version 1.2.17 includes the following changes compared to 1.2.16: >> >> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3 >> >> Various other fixes and improvements. See the changelog for details. >> >> The proposed release artefacts can be found at [1], >> and the build was done using tag [2]. >> >> The Apache Tomcat Native 1.2.17 is >> [ ] Stable, go ahead and release >> [ ] Broken because of ... >> >> Thanks, >> >> Jean-Frederic >> >> >> [1] >> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/ >> >> [2] >> https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
