You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/09/14 10:55:36 UTC
[Bug 65570] New: Shared KEYS files must contain keys for all
relevant release
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
Bug ID: 65570
Summary: Shared KEYS files must contain keys for all relevant
release
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: dev@tomcat.apache.org
Reporter: sebb@apache.org
Target Milestone: -----
The Wiki Release process page [1] says:
"svn checkout --depth immediates
https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/
and update the KEYS file there to be the same as the one used for release"
The KEYS file at that level is used for all 9.x releases, and must therefore
contain the keys used for all the releases.
Once a key used for a release has been added to a KEYS file, it should never be
removed. The process described above does not make that clear.
The process seems needlessly complicated.
Most other projects use a single KEYS file maintained at the project level:
https://dist.apache.org/repos/dist/release/tomcat/KEYS
When a new signing key is used for a release, add it to the file.
Job done.
N.B. this bug report also probably applies to the other Tomcat releases.
[1] https://cwiki.apache.org/confluence/display/TOMCAT/ReleaseProcess
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #2 from vacancies <va...@gmail.com> ---
Yes it is must that shared keys files must contain keys for all relevant
release while in Tomcat 9 as it is used here https://www.vacancies.ae
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #4 from Sebb <se...@apache.org> ---
In which case, why do the per-release KEYS files contain more entries than the
per version KEYS files?
For example:
https://archive.apache.org/dist/tomcat/tomcat-9/KEYS is about 14K
whereas
https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.53/KEYS is 41K
It seems like the process is not being followed.
I have checked quite a few .asc files for the Tomcat 9 series, and it does look
like all the keys used for signing are in the parent KEYS file.
However that is not the case for Tomcat-8
I found issues with versions 8.0.39 onwards.
I've not checked any other Tomcat major versions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
The two keys that are in the KEYS for Tomcat 9.0 should be enough. Is there a
build that was not signed by one of the two keys that are in there ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #6 from Mark Thomas <ma...@apache.org> ---
You don't have to understand the project's decision to use per release branch
KEYS files. The project has made the decision and it is clear from the comments
on this issue and the archives that that is a decision that the Tomcat project
community is happy with.
KEYS files in current branches have been aligned with the per version KEYS
files.
violetagg's key has been added to the per version keys for 8.x
remm's old DSA key has been added to the per version keys for 6.x
markt's key has been added to the per version keys for 5.x
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Sebb from comment #0)
> The KEYS file at that level is used for all 9.x releases, and must therefore
> contain the keys used for all the releases.
>
> Once a key used for a release has been added to a KEYS file, it should never
> be removed. The process described above does not make that clear.
+1
> The process seems needlessly complicated.
>
> Most other projects use a single KEYS file maintained at the project level:
> https://dist.apache.org/repos/dist/release/tomcat/KEYS
Take a look at the release history for Tomcat. There have been many release
managers. We have decided to use separate release-based KEYS files to keep the
files more manageable. For example, it's easier to see if a key is in the file
when there aren't dozens of keys in it, especially if the same RM has used more
than one key through the years.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #4 from Sebb <se...@apache.org> ---
There are also issues with:
v5.5.36
v6.0.0-alpha
v6.0.0
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65570] Shared KEYS files must contain keys for all relevant
release
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
--- Comment #5 from Sebb <se...@apache.org> ---
AFAICT there are only about 15 keys that have been used to sign releases since
version 5, so I don't understand the reluctance to use a single shared file.
I don't think it is safe to delete the existing files as they may be referenced
in links, but it would be possible to use a single canonical file going
forward.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org