incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: [VOTE] Release Apache Beam, version 0.1.0-incubating
Date Mon, 13 Jun 2016 19:08:29 GMT
On Mon, Jun 13, 2016 at 11:37 AM, Julian Hyde <jhyde@apache.org> wrote:

> 2. It’s customary (required?) for there to be a KEYS file in
> https://dist.apache.org/repos/dist/dev/incubator/beam/
> <https://dist.apache.org/repos/dist/dev/incubator/beam/>. Maybe include it
> next release?

The KEYS file is required, by Release Distribution Policy.

  http://www.apache.org/dev/release-distribution#sigs-and-sums

  Projects MUST publish a "KEYS" file in their distribution directory which
  contains all public keys used to sign artifacts.

  Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
  made available through the global public keyserver network. [...]

Since the KEYS file is not part of the artifacts being voted on, there's no
reason to wait to resolve this issue by committing the keys file to the
following location:

  https://dist.apache.org/repos/dist/release/incubator/beam/KEYS

> But I imported
> https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS
> <https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS>
> easily enough.

Bundling PGP keys inside a package is worse than worthless -- an attacker can
just bundle spoofed keys with a bogus distro!  Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.

The KEYS file within the Beam source tree should be deleted.

(This doesn't block the release.)

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message