subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Hett <>
Subject Re: pgp keys for signing releases
Date Thu, 28 Apr 2016 10:49:02 GMT
> Not entirely sure, but I think you should still publish your pgp key 
> to the major key stores. Once you put your fingerprint on 
>, it knows how to fetch your key from there.
Yep did that and it seems to have worked. So I take it I'm all fine 
here. :-)
> *From: *Stefan <>
> *Sent: *donderdag 28 april 2016 01:15
> *To: * <>
> *Subject: *pgp keys for signing releases
> Hi,
> finishing up the creation of my apache key for signing SVN releases I 
> ran into some details in the docs which seem to be outdated/unclear to me:
> The SVN community-guide [1] states:
> "Members of the PMC, as well as enthusiastic community members are 
> encourages to download the tarballs from the preliminary distribution 
> location, run the tests, and then provide their signatures. The public 
> keys for these signatures should be included in the ASF LDAP instance 
> through <>. (A list of the current 
> public keys <> 
> for members of the Subversion PMC is autogenerated from LDAP each day.)"
> 1. on I seem to only be able to specify the fingerprint 
> of my key, but I can't find a way to upload the complete public key. 
> Is this outdated? Is the process now picking up the key from the 
> public keyservers based on the fingerprint I enter there?
> 2. The link to the "current public keys" causes a 404 to me. I take it 
> this one is the correct/new link (taken from 
> 3. If the new link I mention in no 2 is right, does the absence of the 
> "-pmc" in the filename mean that that file contains now all keys from 
> all contributors (including the partial contributers) instead of only 
> the ones from the PMC and hence my key will be added automatically too 
> without me having to do anything else?
> On the other hand the Apache release signing documentation [2] states:
> "The KEYS file is stored alongside the release archives to which it 
> applies, e.g. at the top level of the ASF mirror area for the project. 
> This is to ensure that it is available for download by users, and that 
> it is automatically archived with historic releases.
> [...]
> *Note:* this system will be replaced by a better process in the near 
> future. In preparation, please ensure that public keys are connected 
> as strongly as possible to the Apache web of trust 
> <> and are 
> available from the major public key servers 
> <>."
> 4. Am I assuming right that this process already took place and the 
> reference of having to manually my public key to the KEYS file is 
> therefore obsolete? If not, where is the file located for the 
> Subversion project. I didn't find it on dist/subversion and failed to 
> locate it on subversion/trunk.
> While writing this mail, I see that here's [3] now a list of 
> (presumably) all Apache committers and my key is also listed there. So 
> I take it that everything worked and all the other steps I read on the 
> documentation are no longer required indeed, no?
> Regards,
> Stefan
> [1] 
> [2]
> [3]
Stefan Hett

View raw message