mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Naveen Swamy <>
Subject Storing PGP Key for Publishing packages
Date Wed, 17 Oct 2018 20:29:18 GMT
I am collaborating with Zach Kimberg and Qing to work on automatic (
currently its very tedious and time consuming) publishing the MXNet-Scala
maven package to Apache Snapshot repo(either as nightly or weekly), for
publishing the package the artifacts need to be signed with a committer's
key, however Zach found Apache seems to strictly advise against storing the
PGP Keys, so I suggested to look at what Spark is doing and he found that
they are releasing to Apache Snapshots as a nightly job so they got to be
storing the credentials on the host.
I am looking for advise from Mentors on how to proceed with this?

One option(not preferable) is to publish to a private Repo or an S3 bucket
and only during the release and the keys continue to remain in the
committers control.

-- Advise on PGP Key storage on Apache website--

“It is recommended that you create a PGP key for your address
now (or add that address to an existing key, if you have one). *DO NOT* create
this key on any machine to which multiple users have access and *DO NOT*,
ever, copy your private key to any other shared machine. Release managers
need to take particular care of keys used to sign releases
<>.“ (

“Strictly speaking, releases must be *verified
hardware owned and controlled by the committer. That means hardware the
committer has physical possession and control of and exclusively full
administrative/superuser access to. That's because only such hardware is
qualified to hold a PGP private key, and the release should be verified on
the machine the private key lives on or on a machine as trusted as that.” (


Thanks, Naveen

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message