On 06/10/2012, at 2:23 AM, Chip Childers <chip...@sungard.com> wrote:
On Fri, Oct 5, 2012 at 12:16 PM, Brett Porter <bre...@apache.org> wrote:
On 06/10/2012, at 12:54 AM, Alex Huang <Alex...@citrix.com> wrote:
Please follow the test procedure before voting:
I noticed the instructions rely on importing keys from a key server, afterdownloading the KEYS file. Wouldn't it be better to import the KEYS filedirectly instead?
I followed the CouchDB test procedure document  as the template for
that verification step. Is it more common to use the KEYS file?
The doc says...
"You will need to import the keys into your local keychain before you cancontinue.
You can do this manually, from the KEYS file.
Or, you can import them from a public key server:"
There is more info here:http://www.apache.org/dev/release-signing#public-key-not-found
If you download from a key server, you need to trust it and check thefingerprint matches. Importing the keys file is typically quicker and moretrustworthy.