You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Henri Yandell <ba...@generationjava.com> on 2004/05/02 04:17:47 UTC
[io] Release question
I've cut a release for 1.0 and tagged it and am ready to call for a vote
etc, but I also need to ask about PGP. I previously signed things with a
key that was on icarus and is now lost. Is there any problem with me
generating a new key? I've heard something about revoking keys etc.
Reminds me yet again that I need to figure out pgp signing my email too.
Hen
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [io] Release question
Posted by Henri Yandell <ba...@generationjava.com>.
Yep, I agree and now have a private build machine I can keep it on. Just
need to investigate how to migrate keys, especially if it's between pgp
and gpg.
Hen
On Mon, 3 May 2004, robert burrell donkin wrote:
> (the last thing i heard was that) the infrastructure advice on key
> management best practice was that private keys for key signing should
> not be stored on ASF machines.
>
> (the reasoning is that if the ASF machine is ever compromised, all keys
> stored on that machine would be suspect and therefore every release
> signed with that key would also be suspect. if release managers
> carefully store their own private keys then this attack requires a
> compromise of both the ASF machine and the local machine on which the
> release manager stores the private key.)
>
> personally, i'm now considering keeping my code signing private key on
> removable media with a hard copy backup.
>
> - robert
>
> On 2 May 2004, at 03:54, Henri Yandell wrote:
>
> >
> > Noel's helped me out. Seems it was migrated to the new machine. Could
> > have
> > sworn it wasn't working anymore :)
> >
> > Hen
> >
> > On Sat, 1 May 2004, Henri Yandell wrote:
> >
> >>
> >> I've cut a release for 1.0 and tagged it and am ready to call for a
> >> vote
> >> etc, but I also need to ask about PGP. I previously signed things
> >> with a
> >> key that was on icarus and is now lost. Is there any problem with me
> >> generating a new key? I've heard something about revoking keys etc.
> >>
> >> Reminds me yet again that I need to figure out pgp signing my email
> >> too.
> >>
> >> Hen
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-dev-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [io] Release question
Posted by robert burrell donkin <ro...@blueyonder.co.uk>.
(the last thing i heard was that) the infrastructure advice on key
management best practice was that private keys for key signing should
not be stored on ASF machines.
(the reasoning is that if the ASF machine is ever compromised, all keys
stored on that machine would be suspect and therefore every release
signed with that key would also be suspect. if release managers
carefully store their own private keys then this attack requires a
compromise of both the ASF machine and the local machine on which the
release manager stores the private key.)
personally, i'm now considering keeping my code signing private key on
removable media with a hard copy backup.
- robert
On 2 May 2004, at 03:54, Henri Yandell wrote:
>
> Noel's helped me out. Seems it was migrated to the new machine. Could
> have
> sworn it wasn't working anymore :)
>
> Hen
>
> On Sat, 1 May 2004, Henri Yandell wrote:
>
>>
>> I've cut a release for 1.0 and tagged it and am ready to call for a
>> vote
>> etc, but I also need to ask about PGP. I previously signed things
>> with a
>> key that was on icarus and is now lost. Is there any problem with me
>> generating a new key? I've heard something about revoking keys etc.
>>
>> Reminds me yet again that I need to figure out pgp signing my email
>> too.
>>
>> Hen
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
Re: [io] Release question
Posted by Henri Yandell <ba...@generationjava.com>.
Noel's helped me out. Seems it was migrated to the new machine. Could have
sworn it wasn't working anymore :)
Hen
On Sat, 1 May 2004, Henri Yandell wrote:
>
> I've cut a release for 1.0 and tagged it and am ready to call for a vote
> etc, but I also need to ask about PGP. I previously signed things with a
> key that was on icarus and is now lost. Is there any problem with me
> generating a new key? I've heard something about revoking keys etc.
>
> Reminds me yet again that I need to figure out pgp signing my email too.
>
> Hen
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org