incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
Date Wed, 01 May 2013 22:26:56 GMT
Four suggestions:

 1. Add a UID having your Apache ID, randgalt@ apache.org, in that PGP public-key certificate.
 You can indicate that it is your preference for code signing, if you desire.

 2. Log into your randgalt@ a.o profile at <https://id.apache.org/> and provide the
fingerprint of your key as part of your profile.  This will accomplish two things: (1) It
establishes that the fingerprint was provided by someone having the ASF credentials for randgalt@
a.o; (2) it causes the public key to be added to a secure location as file <https://people.apache.org/keys/committer/randgalt.asc>.
 That file is regularly synchronized with PGP key services and confirms that it is the key
provided by randgalt@ in step (1) and also reflects (web-of-trust) certifications of that
key by others as well as any revocation if that becomes necessary.

 3. BONUS RECOMMENDATION.  Do not put a copy of the public key in the repository.  Instead,
put a link to <https://people.apache.org/keys/committer/randgalt.asc> there, if desired.
 If it is in a file called KEYS, update the instructions to refer to the locations in the
committer keys folder.  (If there will be many release managers and signers in the future,
you can instead instruct users to obtain all Curator committer keys from <https://people.apache.org/keys/group/curator.asc>
once Curator becomes an ASF top-level project.)

 4. GRAND PRIZE RECOMMENDATION.  For all external signatures that you create, add to the ascii-armored
signature text (outside of the armor) a link to <https://people.apache.org/keys/committer/randgalt.asc>.

The idea is to use access to your Apache profile as an additional factor beyond your self-signing
of the certificate and any web-of-trust certifications of your certificate.  It also lets
those non-ASF folk who desire to verify signatures know whose signature the verification is
expected to confirm and that the signer is an ASF committer.

 - Dennis

 
-----Original Message-----
From: Jordan Zimmerman [mailto:jordan@jordanzimmerman.com] 
Sent: Wednesday, May 01, 2013 13:39
To: general@incubator.apache.org
Subject: Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)

That was (yet another) misunderstanding on my part. The KEYS are now in the standard (?) location:

http://www.apache.org/dist/incubator/curator/KEYS

On May 1, 2013, at 1:32 PM, Marvin Humphrey <marvin@rectangular.com> wrote:

> On Wed, May 1, 2013 at 1:07 PM, David Nalley <david@gnsa.us> wrote:
>> While we are at it, a link to your project's KEYS file would be
>> helpful as well.
> 
> Just unzip the archive. ;)
> 
> Curator folks, please find another way to distribute the KEYS file.
> Distributing it embedded in the source archive is worthless at best.
> 
> Marvin Humphrey
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message