lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant Ingersoll <>
Subject Re: KEYS file
Date Mon, 23 Nov 2009 00:33:12 GMT

On Nov 22, 2009, at 5:27 PM, Uwe Schindler wrote:

> We created new keys during the key-signing on ApacheCon and lot's of
> committers upgraded to 4096. Mine is new and 4096 bit and also  
> simonw and
> rmuir got new ones (now appearing in KEYS file).
> Grant *replaced* his key in the KEYS file, but if Grant signed an  
> older
> release on the Apache mirrors, it cannot be verified.

My key should contain both my old one and my new one, so it should  
still be all right.  Also, the KEYS file is versioned, so someone can  
just get the rev from back then.  KEYS should be packaged in the  
release, if they aren't already..

> Should I revert the replacement and add the old and new pub key of  
> Grant
> again before I publish the file? See also the code signing docs of  
> Apache,
> there you find the hint "...keep all former keys available, even if  
> you get
> new keys..."


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message