mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Naveen Swamy <mnnav...@gmail.com>
Subject Storing PGP Key for Publishing packages
Date Wed, 17 Oct 2018 20:29:18 GMT
I am collaborating with Zach Kimberg and Qing to work on automatic (
currently its very tedious and time consuming) publishing the MXNet-Scala
maven package to Apache Snapshot repo(either as nightly or weekly), for
publishing the package the artifacts need to be signed with a committer's
key, however Zach found Apache seems to strictly advise against storing the
PGP Keys, so I suggested to look at what Spark is doing and he found that
they are releasing to Apache Snapshots as a nightly job so they got to be
storing the credentials on the host.
I am looking for advise from Mentors on how to proceed with this?

One option(not preferable) is to publish to a private Repo or an S3 bucket
and only during the release and the keys continue to remain in the
committers control.

-- Advise on PGP Key storage on Apache website--


“It is recommended that you create a PGP key for your apache.org address
now (or add that address to an existing key, if you have one). *DO NOT* create
this key on any machine to which multiple users have access and *DO NOT*,
ever, copy your private key to any other shared machine. Release managers
need to take particular care of keys used to sign releases
<https://www.apache.org/dev/release-signing.html#private-key-protection>.“ (
https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
)

“Strictly speaking, releases must be *verified
<https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl>*
on
hardware owned and controlled by the committer. That means hardware the
committer has physical possession and control of and exclusively full
administrative/superuser access to. That's because only such hardware is
qualified to hold a PGP private key, and the release should be verified on
the machine the private key lives on or on a machine as trusted as that.” (
https://www.apache.org/legal/release-policy.html#release-signing)

 ---


Thanks, Naveen

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message