commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [all] releases
Date Wed, 23 Apr 2008 08:30:36 GMT
2008/4/23 Torsten Curdt <tcurdt@apache.org>:
>
> > Risks are mitigated to an arguably acceptable level by wrappering the
> > entire release process at Apache around the point to point secure
> > transport guarantee that signing is meant to provide.
> >
>
>  That holds only true if you don't use mirrors and people get the releases
> directly from us.
>
>

Surely only the KEYS (and digests) need to be obtained from us?

>
> > I am generally hesitant to introduce any more overhead for folks to
> > step up to RM'ing releases than is strictly necessary, given that this
> > community needs a lot more of 'em.
> >
>
>  I agree ...but as said. I am happy to step up and just do the signing if
> that really is the bottleneck.
>
>
>
> > The amount of security rigor applied that would cause an unsigned key
> > to be a blocking factor for signing releases would probably also
> > discount the above from being acceptable.
> >
>
>  Why is that? I cannot follow that argument
>
>
>
> > As one data point of the operational reality, there were several
> > artifacts released using my key which was unsigned for years until a
> > little over a week ago.
> >
>
>  Not good. But now that your key is signed it retroactively validates the
> releases. Actually with all the release nitpicking we do I am surprised this
> hasn't been brought up - or got ignored ;)
>

The signing key has to be in the KEYS file; the KEYS file is normally
in SVN which implies that the person who updated it has an ASF login.

>  Frankly speaking I think the signing is the least blocking part in our
> release process. We have enough PMC members that have a cross signed key.
>
>
>
> > Finally, from reading Matt's email at the top of the thread I did get
> > the sense that he was keen on getting his key signed, so I didn't
> > stress that any further.
> >
>
>  Let's get him signed :)
>
>
>
>  cheers
>  --
>  Torsten
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>  For additional commands, e-mail: dev-help@commons.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message