subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Hett <ste...@egosoft.com>
Subject Re: pgp keys for signing releases
Date Thu, 28 Apr 2016 10:49:02 GMT
Hi,
>
> Not entirely sure, but I think you should still publish your pgp key 
> to the major key stores. Once you put your fingerprint on 
> id.apache.org, it knows how to fetch your key from there.
>
Yep did that and it seems to have worked. So I take it I'm all fine 
here. :-)
>
> *From: *Stefan <mailto:luke1410@gmx.de>
> *Sent: *donderdag 28 april 2016 01:15
> *To: *dev@subversion.apache.org <mailto:dev@subversion.apache.org>
> *Subject: *pgp keys for signing releases
>
> Hi,
>
> finishing up the creation of my apache key for signing SVN releases I 
> ran into some details in the docs which seem to be outdated/unclear to me:
>
> The SVN community-guide [1] states:
> "Members of the PMC, as well as enthusiastic community members are 
> encourages to download the tarballs from the preliminary distribution 
> location, run the tests, and then provide their signatures. The public 
> keys for these signatures should be included in the ASF LDAP instance 
> through id.apache.org <https://id.apache.org/>. (A list of the current 
> public keys <https://people.apache.org/keys/group/subversion-pmc.asc> 
> for members of the Subversion PMC is autogenerated from LDAP each day.)"
>
> 1. on id.apache.org I seem to only be able to specify the fingerprint 
> of my key, but I can't find a way to upload the complete public key. 
> Is this outdated? Is the process now picking up the key from the 
> public keyservers based on the fingerprint I enter there?
> 2. The link to the "current public keys" causes a 404 to me. I take it 
> this one is the correct/new link (taken from releases.py): 
> https://people.apache.org/keys/group/subversion.asc
> 3. If the new link I mention in no 2 is right, does the absence of the 
> "-pmc" in the filename mean that that file contains now all keys from 
> all contributors (including the partial contributers) instead of only 
> the ones from the PMC and hence my key will be added automatically too 
> without me having to do anything else?
>
> On the other hand the Apache release signing documentation [2] states:
> "The KEYS file is stored alongside the release archives to which it 
> applies, e.g. at the top level of the ASF mirror area for the project. 
> This is to ensure that it is available for download by users, and that 
> it is automatically archived with historic releases.
> [...]
> *Note:* this system will be replaced by a better process in the near 
> future. In preparation, please ensure that public keys are connected 
> as strongly as possible to the Apache web of trust 
> <http://www.apache.org/dev/release-signing.html#web-of-trust> and are 
> available from the major public key servers 
> <http://www.apache.org/dev/release-signing.html#keyserver>."
>
> 4. Am I assuming right that this process already took place and the 
> reference of having to manually my public key to the KEYS file is 
> therefore obsolete? If not, where is the file located for the 
> Subversion project. I didn't find it on dist/subversion and failed to 
> locate it on subversion/trunk.
>
> While writing this mail, I see that here's [3] now a list of 
> (presumably) all Apache committers and my key is also listed there. So 
> I take it that everything worked and all the other steps I read on the 
> documentation are no longer required indeed, no?
>
> Regards,
> Stefan
>
> [1] 
> https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
> [2] http://www.apache.org/dev/release-signing.html#keys-policy
> [3] https://people.apache.org/keys/committer/
>
-- 
Regards,
Stefan Hett


Mime
View raw message