You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by "Bertrand Delacretaz (Jira)" <ji...@apache.org> on 2021/02/18 10:48:00 UTC
[jira] [Commented] (COMDEV-400) Drop project keys files
[ https://issues.apache.org/jira/browse/COMDEV-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286412#comment-17286412 ]
Bertrand Delacretaz commented on COMDEV-400:
--------------------------------------------
> ...Note that the individual keys are still available...
Do those individual keys remain available for ASF accounts that are disabled or removed later?
Once someone has signed a release I think their keys should remain available for ever.
https://www.apache.org/info/verification says "You may download public keys for the Apache project developers from our website", that might need to be updated to mention which is the canonical location for those keys.
> Drop project keys files
> -----------------------
>
> Key: COMDEV-400
> URL: https://issues.apache.org/jira/browse/COMDEV-400
> Project: Community Development
> Issue Type: Bug
> Components: Comdev, PhoneBook, Website
> Environment: https://people.apache.org/keys/group/
> Reporter: Sebb
> Priority: Major
>
> The project keys files should be dropped.
> On the face of it the project keys files could be useful, however that is not the case in practise. This is because:
> * not all release signers are members of the project group
> * release signing keys need to be kept even after a project goes to the attic or the signer leaves the pmc group.
> Leaving the project keys files around has may result it inappropriate usage (as it has previously).
> [Note that the individual keys are still available.]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org