incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <robertburrelldon...@gmail.com>
Subject Re: KEYS and releases
Date Thu, 30 Jun 2011 07:31:38 GMT
On Tue, Jun 28, 2011 at 10:20 AM, Christian Grobmeier
<grobmeier@gmail.com> wrote:
>>> we copy a KEYS file into that directory upon succesful VOTE of the release
>>> artifacts (which also include the KEYS file).
>>
>> Perhaps, but the point we're getting at was explicitly stated by Benson,
>> "The goal here is to allow and encourage consumers to independently verify
>> signatures.  That calls for KEYS somewhere else than inside the package."
>
> I am sorry to ask it again, but why can't the incubator have a policy
> to make people use:
> https://id.apache.org/
> to store their signing key.
>
> Then we have them listed for each projects there:
> https://people.apache.org/keys/
>
> Was it not meant that way?

AIUI  this infrastructure is relative new and intended to add defense-in-depth

IMHO the IPMC should only document (any volunteers?) a strong
recommendation but leave policy in this area to the experts over in
infrastructure

Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message