You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@stratos.apache.org by Lahiru Sandaruwan <la...@wso2.com> on 2013/09/12 14:49:42 UTC

Recommendations on release keys

Hi all,

We have been following some release guides for release management([1],
[2]). They state that we have to generate GPG keys for signing.
My question is that, is it better to get the packs signed by a mentor for
incubating release?

Thanks.

[1] http://airavata.apache.org/development/release-management.html
[2] http://airavata.apache.org/development/release-management.html

-- 
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware

email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146

Re: Recommendations on release keys

Posted by Lahiru Sandaruwan <la...@wso2.com>.

Hi Suresh,


On Fri, Sep 13, 2013 at 4:26 AM, Suresh Marru <sm...@apache.org> wrote:

> On Sep 12, 2013, at 9:22 AM, Chip Childers <ch...@sungard.com>
> wrote:
>
> > On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote:
> >> Hi all,
> >>
> >> We have been following some release guides for release management([1],
> >> [2]). They state that we have to generate GPG keys for signing.
> >> My question is that, is it better to get the packs signed by a mentor
> for
> >> incubating release?
> >>
> >> Thanks.
> >>
> >> [1] http://airavata.apache.org/development/release-management.html
> >> [2] http://airavata.apache.org/development/release-management.html
> >
> > IMO, whomever wants to be the release manager for your first release
> > should be the one to sign the artifact.  Now, if you are creating a new
> > key for it, and aren't connected to the larger ASF web or trust, that
> > can be seen as a weakness.
> >
> > We can solve that though!  As part of voting (if someone votes +1), they
> > have the option of providing a signature that can be added to the
> > detached signature file for the release before it's committed to the
> > release dir in svn.
> >
> > So...  That's where mentors can help.  When I vote, if it's a +1, I'll
> > add my signature.  Others should consider doing the same.
>
> + 1 for this approach though.
>
> Although I assume with good number of apache committers in Srilanka, the
> release manager (assuming will be from one of the currently active Stratos
> PPMC members in SL), should be able to meet fellow committers in person and
> get their key signed.
>

Yes, This is possible.

Thanks.

>
> Suresh
>
> >
> > -chip
>
>


-- 
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware

email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146

Re: Recommendations on release keys

Posted by Suresh Marru <sm...@apache.org>.

On Sep 12, 2013, at 9:22 AM, Chip Childers <ch...@sungard.com> wrote:

> On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote:
>> Hi all,
>> 
>> We have been following some release guides for release management([1],
>> [2]). They state that we have to generate GPG keys for signing.
>> My question is that, is it better to get the packs signed by a mentor for
>> incubating release?
>> 
>> Thanks.
>> 
>> [1] http://airavata.apache.org/development/release-management.html
>> [2] http://airavata.apache.org/development/release-management.html
> 
> IMO, whomever wants to be the release manager for your first release
> should be the one to sign the artifact.  Now, if you are creating a new
> key for it, and aren't connected to the larger ASF web or trust, that
> can be seen as a weakness.
> 
> We can solve that though!  As part of voting (if someone votes +1), they
> have the option of providing a signature that can be added to the
> detached signature file for the release before it's committed to the
> release dir in svn.
> 
> So...  That's where mentors can help.  When I vote, if it's a +1, I'll
> add my signature.  Others should consider doing the same.

+ 1 for this approach though.

Although I assume with good number of apache committers in Srilanka, the release manager (assuming will be from one of the currently active Stratos PPMC members in SL), should be able to meet fellow committers in person and get their key signed.

Suresh

> 
> -chip

Re: Recommendations on release keys

Posted by Lahiru Sandaruwan <la...@wso2.com>.

Thanks for the prompt reply Chip...


On Thu, Sep 12, 2013 at 6:52 PM, Chip Childers <ch...@sungard.com>wrote:

> On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote:
> > Hi all,
> >
> > We have been following some release guides for release management([1],
> > [2]). They state that we have to generate GPG keys for signing.
> > My question is that, is it better to get the packs signed by a mentor for
> > incubating release?
> >
> > Thanks.
> >
> > [1] http://airavata.apache.org/development/release-management.html
> > [2] http://airavata.apache.org/development/release-management.html
>
> IMO, whomever wants to be the release manager for your first release
> should be the one to sign the artifact.  Now, if you are creating a new
> key for it, and aren't connected to the larger ASF web or trust, that
> can be seen as a weakness.
>
> We can solve that though!  As part of voting (if someone votes +1), they
> have the option of providing a signature that can be added to the
> detached signature file for the release before it's committed to the
> release dir in svn.
>

+1,  So I will sign using my key and then get the help of mentors at voting.

Thanks.

>
> So...  That's where mentors can help.  When I vote, if it's a +1, I'll
> add my signature.  Others should consider doing the same.
>
> -chip
>



-- 
--
Lahiru Sandaruwan
Software Engineer,
Platform Technologies,
WSO2 Inc., http://wso2.com
lean.enterprise.middleware

email: lahirus@wso2.com cell: (+94) 773 325 954
blog: http://lahiruwrites.blogspot.com/
twitter: http://twitter.com/lahirus
linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146

Re: Recommendations on release keys

Posted by Chip Childers <ch...@sungard.com>.

On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote:
> Hi all,
> 
> We have been following some release guides for release management([1],
> [2]). They state that we have to generate GPG keys for signing.
> My question is that, is it better to get the packs signed by a mentor for
> incubating release?
> 
> Thanks.
> 
> [1] http://airavata.apache.org/development/release-management.html
> [2] http://airavata.apache.org/development/release-management.html

IMO, whomever wants to be the release manager for your first release
should be the one to sign the artifact.  Now, if you are creating a new
key for it, and aren't connected to the larger ASF web or trust, that
can be seen as a weakness.

We can solve that though!  As part of voting (if someone votes +1), they
have the option of providing a signature that can be added to the
detached signature file for the release before it's committed to the
release dir in svn.

So...  That's where mentors can help.  When I vote, if it's a +1, I'll
add my signature.  Others should consider doing the same.

-chip