Apache Account Setup

[Gregory Nutt <sp...@gmail.com>]

PPMC members have Apache email addresses.  Mine is gnutt@apache.org for 
example.  I stumbled across this account configuration utility: 
https://id.apache.org/  You can use that to setup your forwarding 
address (and your github name) . I see some PPMC people already know 
this.  There is information here on how to setup gmail to send from your 
apache.org email using a gmail account.

Re: Apache Account Setup

[Alan Carvalho de Assis <ac...@gmail.com>]

Hi Nathan,

On 12/18/19, Nathan Hartman <ha...@gmail.com> wrote:
> On Wed, Dec 18, 2019 at 5:24 AM Alan Carvalho de Assis <ac...@gmail.com>
> wrote:
>
> Thank you Greg!
>>
>> I saw the option to send the SSH keys, so I suppose we will need to fill
>> it
>> later (for those who didn't it yet).
>
>
> Also if you do not have your PGP keys yet, you should do that soon. These
> are needed for cryptographically signing releases. Several people need to
> sign each release in order to release it.
>
> See:
>
> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
>
> and the more detailed document here:
>
> https://www.apache.org/dev/release-signing.html
>

Thank you very much!

I'll submit it.

BR,

Alan

Apache download mirrors [was Re: Apache Account Setup]

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Will the release artifacts go into SVN at dist.apache.org? Or are git-based
> projects released differently?

They need to be placed their, putting them there means they get distributed to Apache mirrors sites [1]  allowing easy access from allover the world. It usually take about 24 hours.

Thanks,
Justin

1. https://www.apache.org/mirrors/

Re: Apache Account Setup

[Nathan Hartman <ha...@gmail.com>]

On Wed, Dec 18, 2019 at 4:21 PM Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> Forgive me for top posting.
>
>  Some things that may help:
> - Unusually release are only signed by the RM (but you can have others
> sign it as well)
> - It’s best to use your apache email address (but it’s not required)
> -  A key signing party is a good idea
> - Emails don’t have to be signed (although some projects sign announce
> emails)
> - Signatures go into a KEYS file so people can verify the release artefacts


Will the release artifacts go into SVN at dist.apache.org? Or are git-based
projects released differently?

Thanks,
Nathan

Re: Apache Account Setup

[Justin Mclean <ju...@classsoftware.com>]

Hi,

Forgive me for top posting.

 Some things that may help:
- Unusually release are only signed by the RM (but you can have others sign it as well)
- It’s best to use your apache email address (but it’s not required)
-  A key signing party is a good idea
- Emails don’t have to be signed (although some projects sign announce emails)
- Signatures go into a KEYS file so people can verify the release artefacts

Thanks,
Justin

Re: Apache Account Setup

[Nathan Hartman <ha...@gmail.com>]

On Wed, Dec 18, 2019 at 11:25 AM Gregory Nutt <sp...@gmail.com> wrote:
>
>
> > I don't think there's a need to sign emails.
> >
> > We just sign the release tarballs and those signatures go into a .sig
> > file that people can download and use to verify the tarballs.
>
> Thanks... I obviously don't know what I am going.  Just following
> through Apache checklists as I run across them.

Don't worry. It is a little bit of a labyrinth out there. I'm still
learning my way around too. We'll just struggle through until we're
experts.

Re: Apache Account Setup

[Gregory Nutt <sp...@gmail.com>]

> I don't think there's a need to sign emails.
>
> We just sign the release tarballs and those signatures go into a .sig
> file that people can download and use to verify the tarballs.

Thanks... I obviously don't know what I am going.  Just following 
through Apache checklists as I run across them.

Greg

Re: Apache Account Setup

[Nathan Hartman <ha...@gmail.com>]

On Wed, Dec 18, 2019 at 10:35 AM Gregory Nutt <sp...@gmail.com> wrote:
> These are Windows computers.  My key was created by gpg from the Cygwin
> command line.  Do I need to copy this into Windows application data for
> use by a mailer?  I use Thunderbird and I am not sure where that would go.

I don't think there's a need to sign emails.

We just sign the release tarballs and those signatures go into a .sig
file that people can download and use to verify the tarballs.

Re: Apache Account Setup

[Gregory Nutt <sp...@gmail.com>]

Anotherdumb  question...

I have multiple computers and do (work other than just testing) on two:  
A desktop and a laptop.  I presume that these should have the same key 
and that I can just copy .gnupg to that they have the same signing key.

These are Windows computers.  My key was created by gpg from the Cygwin 
command line.  Do I need to copy this into Windows application data for 
use by a mailer?  I use Thunderbird and I am not sure where that would go.

My laptop runs MSYS2, but I think it is basically the same story.

Greg

Re: Apache Account Setup

[Nathan Hartman <ha...@gmail.com>]

On Wed, Dec 18, 2019 at 9:39 AM Abdelatif Guettouche <
abdelatif.guettouche@gmail.com> wrote:

> Yes they recommend the key to be with an @apache.org email.
> But we can add an email to an existing key.
>
> gpg --edit-key <original email or key id>
>
> We then can add an new email through the gpg cli and upload it when we're
> done.


Could we have a key signing party at NuttX 2020?

Re: Apache Account Setup

[Abdelatif Guettouche <ab...@gmail.com>]

Yes they recommend the key to be with an @apache.org email.
But we can add an email to an existing key.

gpg --edit-key <original email or key id>

We then can add an new email through the gpg cli and upload it when we're done.

On Wed, Dec 18, 2019 at 2:12 PM Gregory Nutt <sp...@gmail.com> wrote:
>
>
> >> I saw the option to send the SSH keys, so I suppose we will need to fill it
> >> later (for those who didn't it yet).
> > Also if you do not have your PGP keys yet, you should do that soon. These
> > are needed for cryptographically signing releases. Several people need to
> > sign each release in order to release it.
> >
> > See:
> >
> > https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
> >
> > and the more detailed document here:
> >
> > https://www.apache.org/dev/release-signing.html
>
> I assume that this should be the <apache ID>@apache.org?
>
> Then if we have existing keys all we should have to do is:
>
> |gpg --edit-key <apache ID>@apache.org|
>
> |Right?|
>
> |Greg
> |
>
> ||
>

Re: Apache Account Setup

[Gregory Nutt <sp...@gmail.com>]

>> I saw the option to send the SSH keys, so I suppose we will need to fill it
>> later (for those who didn't it yet).
> Also if you do not have your PGP keys yet, you should do that soon. These
> are needed for cryptographically signing releases. Several people need to
> sign each release in order to release it.
>
> See:
>
> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
>
> and the more detailed document here:
>
> https://www.apache.org/dev/release-signing.html

I assume that this should be the <apache ID>@apache.org?

Then if we have existing keys all we should have to do is:

|gpg --edit-key <apache ID>@apache.org|

|Right?|

|Greg
|

||

Re: Apache Account Setup

[Nathan Hartman <ha...@gmail.com>]

On Wed, Dec 18, 2019 at 5:24 AM Alan Carvalho de Assis <ac...@gmail.com>
wrote:

Thank you Greg!
>
> I saw the option to send the SSH keys, so I suppose we will need to fill it
> later (for those who didn't it yet).


Also if you do not have your PGP keys yet, you should do that soon. These
are needed for cryptographically signing releases. Several people need to
sign each release in order to release it.

See:

https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys

and the more detailed document here:

https://www.apache.org/dev/release-signing.html

Nathan

Re: Apache Account Setup

[Alan Carvalho de Assis <ac...@gmail.com>]

Thank you Greg!

I saw the option to send the SSH keys, so I suppose we will need to fill it
later (for those who didn't it yet).

BR,

Alan

On Tuesday, December 17, 2019, Gregory Nutt <sp...@gmail.com> wrote:
> PPMC members have Apache email addresses.  Mine is gnutt@apache.org for
example.  I stumbled across this account configuration utility:
https://id.apache.org/  You can use that to setup your forwarding address
(and your github name) . I see some PPMC people already know this.  There
is information here on how to setup gmail to send from your apache.org
email using a gmail account.
>
>