subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan <luke1...@gmx.de>
Subject pgp keys for signing releases
Date Wed, 27 Apr 2016 23:14:56 GMT
Hi,

finishing up the creation of my apache key for signing SVN releases I 
ran into some details in the docs which seem to be outdated/unclear to me:

The SVN community-guide [1] states:
"Members of the PMC, as well as enthusiastic community members are 
encourages to download the tarballs from the preliminary distribution 
location, run the tests, and then provide their signatures. The public 
keys for these signatures should be included in the ASF LDAP instance 
through id.apache.org <https://id.apache.org/>. (A list of the current 
public keys <https://people.apache.org/keys/group/subversion-pmc.asc> 
for members of the Subversion PMC is autogenerated from LDAP each day.)"

1. on id.apache.org I seem to only be able to specify the fingerprint of 
my key, but I can't find a way to upload the complete public key. Is 
this outdated? Is the process now picking up the key from the public 
keyservers based on the fingerprint I enter there?
2. The link to the "current public keys" causes a 404 to me. I take it 
this one is the correct/new link (taken from releases.py): 
https://people.apache.org/keys/group/subversion.asc
3. If the new link I mention in no 2 is right, does the absence of the 
"-pmc" in the filename mean that that file contains now all keys from 
all contributors (including the partial contributers) instead of only 
the ones from the PMC and hence my key will be added automatically too 
without me having to do anything else?

On the other hand the Apache release signing documentation [2] states:
"The KEYS file is stored alongside the release archives to which it 
applies, e.g. at the top level of the ASF mirror area for the project. 
This is to ensure that it is available for download by users, and that 
it is automatically archived with historic releases.
[...]
*Note:* this system will be replaced by a better process in the near 
future. In preparation, please ensure that public keys are connected as 
strongly as possible to the Apache web of trust 
<http://www.apache.org/dev/release-signing.html#web-of-trust> and are 
available from the major public key servers 
<http://www.apache.org/dev/release-signing.html#keyserver>."

4. Am I assuming right that this process already took place and the 
reference of having to manually my public key to the KEYS file is 
therefore obsolete? If not, where is the file located for the Subversion 
project. I didn't find it on dist/subversion and failed to locate it on 
subversion/trunk.

While writing this mail, I see that here's [3] now a list of 
(presumably) all Apache committers and my key is also listed there. So I 
take it that everything worked and all the other steps I read on the 
documentation are no longer required indeed, no?

Regards,
Stefan

[1] 
https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
[2] http://www.apache.org/dev/release-signing.html#keys-policy
[3] https://people.apache.org/keys/committer/


Mime
View raw message