hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@hortonworks.com>
Subject Re: [VOTE] Release Apache Hadoop 2.8.0 (RC2)
Date Mon, 20 Mar 2017 12:30:14 GMT

> On 15 Mar 2017, at 21:06, Eric Badger <ebadger@yahoo-inc.com> wrote:
> 
> Verified signatures
>  - Minor note: Junping, I had a hard time finding your key. I grabbed the keys for hadoop
from
> http://home.apache.org/keys/group/hadoop.asc <http://home.apache.org/keys/group/hadoop.asc>
and you had a key there, but it wasn't the one that you signed this commit with. Then with
some help from Jason I found the correct key at
> https://dist.apache.org/repos/dist/release/hadoop/common/KEYS <https://dist.apache.org/repos/dist/release/hadoop/common/KEYS>.
So it would be nice if those were in sync.
> Compiled from source
> Deployed pseudo-distributed cluster
> Ran some sample MR jobs


we need to do more key signing; the stuff in the various KEYS files have aged

Alll ASF Committers can publish their ASF keys:

https://people.apache.org/keys/committer/ <https://people.apache.org/keys/committer/>

which you can retrieve on a committer-by-committer basis :

junping https://people.apache.org/keys/committer/junping_du.asc <https://people.apache.org/keys/committer/junping_du.asc>
me: https://people.apache.org/keys/committer/stevel.asc <https://people.apache.org/keys/committer/stevel.asc>

Committers should log in to https://id.apache.org/ <https://id.apache.org/> and set
them.

Maybe that committer page should just be declared as the reference place to find keys; It
bootstraps off the ASF HTTPS certificate for trusted D/L, and relies on login credentials
being kept secure. But if not, well, people can publish code under your login, so signing
is the least concern.

-Steve

Mime
View raw message