community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Automated ASF GPG signing
Date Thu, 25 Feb 2016 18:47:52 GMT
I'm not sure where exactly this discussion should fit, but I know people
have brought up questions about ASF-wide signing of artifacts before, so
I'll just mention it on this list.

Fedora infrastructure has built a project called sigul:
https://fedorahosted.org/sigul/
which they use as part of their infrastructure to automate signing of RPMs
and ISOs and such.

ASF could set up a similar service for ASF-wide release signing.

This particular project looks like it has a GPL2 license on it, and I'm not
sure what the policy is for Fedora infrastructure, but for Fedora
packagers, contributions (under their ICLA) are MIT, so it's possible that
if we wanted to use this, and provide ASF-wide release signing, the Fedora
community would be willing to re-license under MIT if that were necessary
for us to consider using it.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message