httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Fwd: DO NOT REPLY [Bug 51679] New: Code signature key expired
Date Thu, 18 Aug 2011 19:19:07 GMT
On 8/18/2011 10:29 AM, Eric Covener wrote:
> CHANGES says that currently nothing is backported to 2.2.x since
> 2.2.19 -- should we burn a release # to replace?  Can the existing
> release be re-signed in-place?

Hmmm... although I'm happy to re-sign, this is a flaw in gpg; the sig
was valid at the time the artifact was signed.  The same is true for
a vast number of artifacts at archive.apache.org/dist/

If we are treating this flaw in gpg as valid, we should probably set
up a policy of using keys that won't expire for 'X' period of time
following the release.

But IMHO, the underlying complaint is not legitimate.

Mime
View raw message