cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Thomas (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-12239) Add mshuler's key FE4B2BDA to dist/cassandra/KEYS
Date Mon, 22 Aug 2016 21:27:20 GMT


Mark Thomas commented on CASSANDRA-12239:

With my Infra and Security team hats on, best practice is individual keys. Shared keys are
too insecure.

For specific cases (JAR signing, signing Windows binaries and signing stuff for the Apple
Store) that need keys that en-users will inherently trust (because their OS trusts the relevant
CAs) Infra provides access to a code signing service but for normal releases (99+% of all
ASF releases) OpenPGP signatures from a committers key are sufficient.

> Add mshuler's key FE4B2BDA to dist/cassandra/KEYS
> -------------------------------------------------
>                 Key: CASSANDRA-12239
>                 URL:
>             Project: Cassandra
>          Issue Type: Task
>          Components: Packaging
>            Reporter: Michael Shuler
>            Assignee: Michael Shuler
>            Priority: Blocker
>             Fix For: 3.8
>         Attachments: KEYS+mshuler.diff.txt
> I've started working on packaging with the 3.8 release and signed the staging artifacts
with FE4B2BDA. This key will need to be added for the debian repository signature to function
correctly, if it's released as-is, or perhaps [~tjake] will need to re-sign the release. Users
will need to also fetch this new key and add to {{apt-key}}.
> {{KEYS}} patch attached.
> Assigned to myself, but I am not sure exactly where {{KEYS}} lives - in svn somewhere
or a direct upload? :)

This message was sent by Atlassian JIRA

View raw message