You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Andrew Phillips <an...@apache.org> on 2013/05/30 22:44:48 UTC
Correct process for signing keys?
Hi all
Apologies in advance if this is not the correct audience for this
question: what is the correct process now for publishing signing keys
for releases? jclouds currently has a KEYS file [1]; there is another
(different) file containing keys in the groups list [2] on
people.apache, and most individual committers *also* have their
personal keys automatically retrieved via people.apache (e.g. [3]).
In an email thread on this topic Brian (McCallister) indicated that:
> Upon investigation, if release signing keys are published via
> https://people.apache.org/keys/ then we don't need a KEYS file and
> should remove it.
>
> -Brian
In that case, I'd be grateful if you could give some guidance on what
the validity of the other approaches (KEYS file published somewhere or
group KEYS file) is, and what we should do with those files, if
anything.
Thanks!
Andrew
[1] http://www.apache.org/dist/incubator/jclouds/KEYS
[2] https://people.apache.org/keys/group/jclouds.asc
[3] https://people.apache.org/keys/committer/andrewp.asc
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: Correct process for signing keys?
Posted by "Dennis E. Hamilton" <de...@acm.org>.
@Christian
The other advantage of the people list is that it is automatically updated from the federation of PGP key servers so it reflects the latest "web of trust" and also, I presume, any revocation.
In some cases, PMC wide is a bit too generous though. I think the release manager's Apache ID is better, using <https://people.apache.org/keys/<id>.asc>. This is probably more confidence-inspiring that the web of trust itself for those who do not participate in Apache projects and don't know who those folks who've counter-signed the certificate happen to be. In that case, the lock to an ASF committer is valuable. (It is unfortunate that committers and especially release managers are often not visible by their <id>@apache.org, thus providing even more confidence in the connection for observers.)
- Dennis
PS: I notice I just did the thing I'm complaining about. But I don't think orcmid@ a.o is subscribed to this list [;<).
-----Original Message-----
From: Christian Grobmeier [mailto:grobmeier@gmail.com]
Sent: Sunday, June 2, 2013 01:24 AM
To: general@incubator.apache.org
Subject: Re: Correct process for signing keys?
Hi Andrew,
here are some basic docs:
http://www.apache.org/dev/release-signing.html
http://www.apache.org/dev/openpgp.html#update
I could not find information on your specific question. At log4php we were
curious recently about the same and decided to go with this:
http://www.apache.org/dist/logging/log4php/KEYS
But we made sure it would match this:
https://people.apache.org/keys/group/logging-pmc.asc
Basically my understanding is the one from people would be fine alone.
There is some danger people would take the KEYS file from a mirror which is
to my knowledge not possible from people.
My 2 cents- hopefully somebody with more knowledge on that matter (infra)
can add a note.
Cheers
On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips <an...@apache.org>wrote:
> Hi all
>
> Apologies in advance if this is not the correct audience for this
> question: what is the correct process now for publishing signing keys for
> releases? jclouds currently has a KEYS file [1]; there is another
> (different) file containing keys in the groups list [2] on people.apache,
> and most individual committers *also* have their personal keys
> automatically retrieved via people.apache (e.g. [3]).
>
> In an email thread on this topic Brian (McCallister) indicated that:
>
> Upon investigation, if release signing keys are published via
>> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then
>> we don't need a KEYS file and should remove it.
>>
>> -Brian
>>
>
> In that case, I'd be grateful if you could give some guidance on what the
> validity of the other approaches (KEYS file published somewhere or group
> KEYS file) is, and what we should do with those files, if anything.
>
> Thanks!
>
>
> Andrew
>
> [1] http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS>
> [2] https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc>
> [3] https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: general-unsubscribe@incubator.**apache.org<ge...@incubator.apache.org>
> For additional commands, e-mail: general-help@incubator.apache.**org<ge...@incubator.apache.org>
>
>
--
http://www.grobmeier.de
https://www.timeandbill.de
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Correct process for signing keys?
Posted by Christian Grobmeier <gr...@gmail.com>.
Hi Andrew,
here are some basic docs:
http://www.apache.org/dev/release-signing.html
http://www.apache.org/dev/openpgp.html#update
I could not find information on your specific question. At log4php we were
curious recently about the same and decided to go with this:
http://www.apache.org/dist/logging/log4php/KEYS
But we made sure it would match this:
https://people.apache.org/keys/group/logging-pmc.asc
Basically my understanding is the one from people would be fine alone.
There is some danger people would take the KEYS file from a mirror which is
to my knowledge not possible from people.
My 2 cents- hopefully somebody with more knowledge on that matter (infra)
can add a note.
Cheers
On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips <an...@apache.org>wrote:
> Hi all
>
> Apologies in advance if this is not the correct audience for this
> question: what is the correct process now for publishing signing keys for
> releases? jclouds currently has a KEYS file [1]; there is another
> (different) file containing keys in the groups list [2] on people.apache,
> and most individual committers *also* have their personal keys
> automatically retrieved via people.apache (e.g. [3]).
>
> In an email thread on this topic Brian (McCallister) indicated that:
>
> Upon investigation, if release signing keys are published via
>> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then
>> we don't need a KEYS file and should remove it.
>>
>> -Brian
>>
>
> In that case, I'd be grateful if you could give some guidance on what the
> validity of the other approaches (KEYS file published somewhere or group
> KEYS file) is, and what we should do with those files, if anything.
>
> Thanks!
>
>
> Andrew
>
> [1] http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS>
> [2] https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc>
> [3] https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: general-unsubscribe@incubator.**apache.org<ge...@incubator.apache.org>
> For additional commands, e-mail: general-help@incubator.apache.**org<ge...@incubator.apache.org>
>
>
--
http://www.grobmeier.de
https://www.timeandbill.de