incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: [VOTE] Release Apache Kylin-1.0-incubating
Date Thu, 03 Sep 2015 21:47:17 GMT
On Thu, Sep 3, 2015 at 12:17 PM, P. Taylor Goetz <ptgoetz@gmail.com> wrote:
> Notes:
> * The key used to sign the release has not been by signed by anyone else
> @apache.org, so is not in the Apache web of trust [1]. I’d encourage Kylin
> release manager(s) to exchange public keys with others in the Apache
> community.

+1, but anybody who reviews the release also has the option of signing it
themselves -- and if any of the other signers are linked into the web of
trust, problem solved.

    http://www.apache.org/dev/release#what-must-every-release-contain

    Folks who vote +1 for release may offer their own cryptographic signature
    to be concatenated with the detached signature file (at the Release
    Manager's discretion) prior to release.

Here's an example from the Subversion folks:

    http://archive.apache.org/dist/subversion/subversion-1.9.1.tar.gz.asc

They handle the mechanics by appending their sig to the local .asc file and
then committing to the release candidate dir on dist.apache.org.

I've occasionally thought that this would be a nice (optional) custom for the
Incubator to adopt, because we often have Release Managers who are not yet
tied into the web of trust and because it presents an opportunity to impart
knowledge during the release thread.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message