reef-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mariia Mykhailova (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (REEF-1021) Spurious file in https://dist.apache.org/repos/dist/release/incubator/reef/
Date Tue, 01 Dec 2015 01:01:18 GMT

    [ https://issues.apache.org/jira/browse/REEF-1021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15032830#comment-15032830
] 

Mariia Mykhailova commented on REEF-1021:
-----------------------------------------

The script itself was added before any of us were release managers, I think. It might have
been an utility to simplify first-time setup of KEYS file in that folder.

{noformat}
C:\reef-dist-release\reef> svn log .\download-keys.sh
------------------------------------------------------------------------
r6171 | omalley | 2014-08-14 14:35:58 -0700 (Thu, 14 Aug 2014) | 2 lines

Adding reef KEYS
{noformat}

Our release management guide doesn't rely on {{https://people.apache.org/keys/group/reef.asc}}
in any way, all KEYS instructions in it are related to proper file at https://dist.apache.org/repos/dist/release/incubator/reef/KEYS
(and its twin at https://dist.apache.org/repos/dist/dev/incubator/reef/KEYS). So it should
be safe to delete {{download-keys.sh}}.

> Spurious file in https://dist.apache.org/repos/dist/release/incubator/reef/
> ---------------------------------------------------------------------------
>
>                 Key: REEF-1021
>                 URL: https://issues.apache.org/jira/browse/REEF-1021
>             Project: REEF
>          Issue Type: Bug
>         Environment: https://dist.apache.org/repos/dist/release/incubator/reef/
>            Reporter: Sebb
>
> The directory https://dist.apache.org/repos/dist/release/incubator/reef/ contains the
file:
> download-keys.sh
> This does not belong on the ASF mirror system.
> Also the script is not suitable for downloading KEYS.
> The file https://people.apache.org/keys/group/reef.asc is not guaranteed to contain all
the keys needed to validate a signature, because the file only contains the current keys for
the current members of the PPMC. However the KEYS file is also used for checking archived
releases so must contain all keys that have ever been used to sign a release.
> Please remove the script file, and ensure that the KEYS file contains all the keys for
every ASF release that has been made. Entries should never be dropped from KEYS files if they
have been used to sign a release.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message