Signing our convenience artefact?

[Bruno Mahé <bm...@apache.org>]

Hi,

I have a question for our mentors:
As part of the incoming Apache Bigtop (incubating) release, I am interested in starting to sign our convenience
packages/repositories.
I am afraid using the release manager key to sign released convenience packages/repositories would bring too much issues to be managed since it may change for each release. So what is Apache stance on using a release key to be shared between release managers or some other entity?

Note that this only applies to the convenience package/repositories, not
the release itself.

Thanks,
Bruno

Re: Signing our convenience artefact?

[Bruno Mahé <bm...@apache.org>]

On 02/23/2012 10:17 AM, Tom White wrote:
> On Tue, Feb 21, 2012 at 11:22 AM, Bruno Mahé <bm...@apache.org> wrote:
>> Hi,
>>
>> I have a question for our mentors:
>> As part of the incoming Apache Bigtop (incubating) release, I am interested in starting to sign our convenience
>> packages/repositories.
>> I am afraid using the release manager key to sign released convenience packages/repositories would bring too much issues to be managed since it may change for each release. So what is Apache stance on using a release key to be shared between release managers or some other entity?
>>
>> Note that this only applies to the convenience package/repositories, not
>> the release itself.
> The convenience packages are still a part of the release and have to
> conform to Apache release requirements. Why is it too difficult to
> have a key per manager?

I may be a little bit confused by Apache release requirements.
I read through :
* http://www.apache.org/dev/release-signing.html
* http://incubator.apache.org/guides/releasemanagement.html
* http://www.apache.org/dev/release.html

But I am still confused on the following points:
* If there are X release managers, all their keys will be in users'
systems. Therefore, any of them can sign any artefact and they would all
be able to sign any random packages which would be installable on all
users' machines without raising any error. So unless one manually check
the signature of a given package, no flag would be raised.
* What if a release manager need to revoke his key? We may need to
re-issue some packages (I am planning on contributing some one click
install package for the repositories to streamline the user experience)
to revoke the key and add the new one to the user system. And this may
need to happen fast to propagate the revocation, and this would surely
need a release (including votes and so forth) by itself.
* If new keys get added each time a new release manager gets a release
out, I am afraid people would start ignoring keys issues when upgrading
their packages.
* Not really related to signing, but since releases get moved from dist
to archive, if we were to provide mirror files for the repositories,
would it be ok to list both dist and archive location as to not disrupt
repositories?

I am aware all these points would apply to a common release key since in
any case our releases would be as strong as our weakest link.
So there is nothing really preventing us going one way or another, it's
just that having a single release key for convenience artefacts would be
easier to manage.
There are probably a few other differences due to the fact that other
projects' convenience artefacts are independent from release to release,
but in this case we would like to provide some continuity through the
use of some convenience repositories.


>  It's what all other projects do.

Which other projects? I would gladly look at any other Apache project
publishing their own convenience packages/repositories as part of their
release

> Cheers,
> Tom

Thanks,
Bruno

Re: Signing our convenience artefact?

[Tom White <to...@cloudera.com>]

On Tue, Feb 21, 2012 at 11:22 AM, Bruno Mahé <bm...@apache.org> wrote:
> Hi,
>
> I have a question for our mentors:
> As part of the incoming Apache Bigtop (incubating) release, I am interested in starting to sign our convenience
> packages/repositories.
> I am afraid using the release manager key to sign released convenience packages/repositories would bring too much issues to be managed since it may change for each release. So what is Apache stance on using a release key to be shared between release managers or some other entity?
>
> Note that this only applies to the convenience package/repositories, not
> the release itself.

The convenience packages are still a part of the release and have to
conform to Apache release requirements. Why is it too difficult to
have a key per manager? It's what all other projects do.

Cheers,
Tom

>
> Thanks,
> Bruno
>