incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Correct process for signing keys?
Date Sun, 02 Jun 2013 15:26:45 GMT
@Christian

The other advantage of the people list is that it is automatically updated from the federation
of PGP key servers so it reflects the latest "web of trust" and also, I presume, any revocation.
 

In some cases, PMC wide is a bit too generous though.  I think the release manager's Apache
ID is better, using <https://people.apache.org/keys/<id>.asc>.  This is probably
more confidence-inspiring that the web of trust itself for those who do not participate in
Apache projects and don't know who those folks who've counter-signed the certificate happen
to be.  In that case, the lock to an ASF committer is valuable.  (It is unfortunate that committers
and especially release managers are often not visible by their <id>@apache.org, thus
providing even more confidence in the connection for observers.)

 - Dennis

PS: I notice I just did the thing I'm complaining about.  But I don't think orcmid@ a.o is
subscribed to this list [;<).

-----Original Message-----
From: Christian Grobmeier [mailto:grobmeier@gmail.com] 
Sent: Sunday, June 2, 2013 01:24 AM
To: general@incubator.apache.org
Subject: Re: Correct process for signing keys?

Hi Andrew,

here are some basic docs:

http://www.apache.org/dev/release-signing.html
http://www.apache.org/dev/openpgp.html#update

I could not find information on your specific question. At log4php we were
curious recently about the same and decided to go with this:
http://www.apache.org/dist/logging/log4php/KEYS

But we made sure it would match this:
https://people.apache.org/keys/group/logging-pmc.asc

Basically my understanding is the one from people would be fine alone.
There is some danger people would take the KEYS file from a mirror which is
to my knowledge not possible from people.

My 2 cents- hopefully somebody with more knowledge on that matter (infra)
can add a note.

Cheers



On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips <andrewp@apache.org>wrote:

> Hi all
>
> Apologies in advance if this is not the correct audience for this
> question: what is the correct process now for publishing signing keys for
> releases? jclouds currently has a KEYS file [1]; there is another
> (different) file containing keys in the groups list [2] on people.apache,
> and most individual committers *also* have their personal keys
> automatically retrieved via people.apache (e.g. [3]).
>
> In an email thread on this topic Brian (McCallister) indicated that:
>
>  Upon investigation, if release signing keys are published via
>> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then
>> we don't need a KEYS file and should remove it.
>>
>> -Brian
>>
>
> In that case, I'd be grateful if you could give some guidance on what the
> validity of the other approaches (KEYS file published somewhere or group
> KEYS file) is, and what we should do with those files, if anything.
>
> Thanks!
>
>
> Andrew
>
> [1] http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS>
> [2] https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc>
> [3] https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: general-unsubscribe@incubator.**apache.org<general-unsubscribe@incubator.apache.org>
> For additional commands, e-mail: general-help@incubator.apache.**org<general-help@incubator.apache.org>
>
>


-- 
http://www.grobmeier.de
https://www.timeandbill.de


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message