You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@devicemap.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2014/08/11 14:00:15 UTC

[jira] [Commented] (DMAP-83) Provide KEYS file under the dist area

    [ https://issues.apache.org/jira/browse/DMAP-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14092706#comment-14092706 ] 

Sebb commented on DMAP-83:
--------------------------

bq. someone will just need to redo the above copy when keys change.

No, a copy won't work in general. There needs to be a merge.

The file at [1] contains the current keys for the current project members.
However the file at [2] must contain all the keys that were ever used to sign a release, as it is needed to verify historic releases from the archive server.

If an RM changes their key, then AIUI [1] will only contain the new key, but the old key may have been used to sign a release (which may even still be current).
If an RM leaves the LDAP group for any reason, then [1] will no longer contain their key (e.g. joes and crossley left the IPMC and are no longer in the incubator-pmc.asc file).

So although the file at [1] may be used as a source for updating the KEYS file at [2], it cannot be regarded as the canonical source for the KEYS file, as it does not guaranteed to contain the required historical entries.

> Provide KEYS file under the dist area
> -------------------------------------
>
>                 Key: DMAP-83
>                 URL: https://issues.apache.org/jira/browse/DMAP-83
>             Project: DeviceMap
>          Issue Type: Task
>            Reporter: Sebb
>            Assignee: Bertrand Delacretaz
>
> The KEYS file is currently linked from 
> [1] https://people.apache.org/keys/group/devicemap.asc
> This is not the standard location, which is
> [2] https://dist.apache.org/repos/dist/release/incubator/devicemap/KEYS
> i.e. at the top level above the releases, sigs and hashes.
> Please can you set up a KEYS file at [2]; this can start out as a copy of [1]
> Note that entries in the KEYS file that have ever been used to sign releases should not be removed otherwise users won't be able to verify archived downloads.
> Also it helps if the KEYS file has details of how to update it, for example see:
> https://dist.apache.org/repos/dist/release/ant/KEYS



--
This message was sent by Atlassian JIRA
(v6.2#6252)