incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <robertburrelldon...@gmail.com>
Subject Re: Write-up on release signing/verification
Date Tue, 30 Jan 2007 13:18:20 GMT
On 1/30/07, Ted Husted <husted@apache.org> wrote:
> If it's helpful, the notes we are using for the Struts 2 release under
> Maven are here:
>
> * http://struts.apache.org/2.x/docs/creating-and-signing-a-distribution.html
>
> They are very specific, mainly because I'm getting on in years, and if
> we don't have specific notes, I forget how to do things :)

cool :-)

the problem with creating specific notes for the apache site is that
they may contain stuff that some consider bad practice. for example, i
have major issues with the standard maven advice (which is to give the
passphrase in on the command line) and would consider -1 any attempt
to add that to the apache site. you *really* shouldn't be doing that
with any primary apache code signing key.

if you're going to use maven, i'd recommend dual signing: once with a
limited subkey and then adding a second secure key using the primary
code signing key store on removable media and signed from a live CD.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message