incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: [VOTE] Release Apache Beam, version 0.1.0-incubating
Date Mon, 13 Jun 2016 19:17:12 GMT
Hi Marvin,

thanks for the feedback. I will push the KEYS on dist.a.o.

Regards
JB

On 06/13/2016 09:08 PM, Marvin Humphrey wrote:
> On Mon, Jun 13, 2016 at 11:37 AM, Julian Hyde <jhyde@apache.org> wrote:
>
>> 2. It’s customary (required?) for there to be a KEYS file in
>> https://dist.apache.org/repos/dist/dev/incubator/beam/
>> <https://dist.apache.org/repos/dist/dev/incubator/beam/>. Maybe include it
>> next release?
>
> The KEYS file is required, by Release Distribution Policy.
>
>    http://www.apache.org/dev/release-distribution#sigs-and-sums
>
>    Projects MUST publish a "KEYS" file in their distribution directory which
>    contains all public keys used to sign artifacts.
>
>    Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
>    made available through the global public keyserver network. [...]
>
> Since the KEYS file is not part of the artifacts being voted on, there's no
> reason to wait to resolve this issue by committing the keys file to the
> following location:
>
>    https://dist.apache.org/repos/dist/release/incubator/beam/KEYS
>
>> But I imported
>> https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS
>> <https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS>
>> easily enough.
>
> Bundling PGP keys inside a package is worse than worthless -- an attacker can
> just bundle spoofed keys with a bogus distro!  Keys need to be made available
> from a highly reliable, separate server: Download the main package from a
> mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.
>
> The KEYS file within the Beam source tree should be deleted.
>
> (This doesn't block the release.)
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message