You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Stefan <lu...@gmx.de> on 2016/04/28 01:14:56 UTC
pgp keys for signing releases
Hi,
finishing up the creation of my apache key for signing SVN releases I
ran into some details in the docs which seem to be outdated/unclear to me:
The SVN community-guide [1] states:
"Members of the PMC, as well as enthusiastic community members are
encourages to download the tarballs from the preliminary distribution
location, run the tests, and then provide their signatures. The public
keys for these signatures should be included in the ASF LDAP instance
through id.apache.org <https://id.apache.org/>. (A list of the current
public keys <https://people.apache.org/keys/group/subversion-pmc.asc>
for members of the Subversion PMC is autogenerated from LDAP each day.)"
1. on id.apache.org I seem to only be able to specify the fingerprint of
my key, but I can't find a way to upload the complete public key. Is
this outdated? Is the process now picking up the key from the public
keyservers based on the fingerprint I enter there?
2. The link to the "current public keys" causes a 404 to me. I take it
this one is the correct/new link (taken from releases.py):
https://people.apache.org/keys/group/subversion.asc
3. If the new link I mention in no 2 is right, does the absence of the
"-pmc" in the filename mean that that file contains now all keys from
all contributors (including the partial contributers) instead of only
the ones from the PMC and hence my key will be added automatically too
without me having to do anything else?
On the other hand the Apache release signing documentation [2] states:
"The KEYS file is stored alongside the release archives to which it
applies, e.g. at the top level of the ASF mirror area for the project.
This is to ensure that it is available for download by users, and that
it is automatically archived with historic releases.
[...]
*Note:* this system will be replaced by a better process in the near
future. In preparation, please ensure that public keys are connected as
strongly as possible to the Apache web of trust
<http://www.apache.org/dev/release-signing.html#web-of-trust> and are
available from the major public key servers
<http://www.apache.org/dev/release-signing.html#keyserver>."
4. Am I assuming right that this process already took place and the
reference of having to manually my public key to the KEYS file is
therefore obsolete? If not, where is the file located for the Subversion
project. I didn't find it on dist/subversion and failed to locate it on
subversion/trunk.
While writing this mail, I see that here's [3] now a list of
(presumably) all Apache committers and my key is also listed there. So I
take it that everything worked and all the other steps I read on the
documentation are no longer required indeed, no?
Regards,
Stefan
[1]
https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
[2] http://www.apache.org/dev/release-signing.html#keys-policy
[3] https://people.apache.org/keys/committer/
Re: pgp keys for signing releases
Posted by Stefan Hett <st...@egosoft.com>.
Hi,
>
> Not entirely sure, but I think you should still publish your pgp key
> to the major key stores. Once you put your fingerprint on
> id.apache.org, it knows how to fetch your key from there.
>
Yep did that and it seems to have worked. So I take it I'm all fine
here. :-)
>
> *From: *Stefan <ma...@gmx.de>
> *Sent: *donderdag 28 april 2016 01:15
> *To: *dev@subversion.apache.org <ma...@subversion.apache.org>
> *Subject: *pgp keys for signing releases
>
> Hi,
>
> finishing up the creation of my apache key for signing SVN releases I
> ran into some details in the docs which seem to be outdated/unclear to me:
>
> The SVN community-guide [1] states:
> "Members of the PMC, as well as enthusiastic community members are
> encourages to download the tarballs from the preliminary distribution
> location, run the tests, and then provide their signatures. The public
> keys for these signatures should be included in the ASF LDAP instance
> through id.apache.org <https://id.apache.org/>. (A list of the current
> public keys <https://people.apache.org/keys/group/subversion-pmc.asc>
> for members of the Subversion PMC is autogenerated from LDAP each day.)"
>
> 1. on id.apache.org I seem to only be able to specify the fingerprint
> of my key, but I can't find a way to upload the complete public key.
> Is this outdated? Is the process now picking up the key from the
> public keyservers based on the fingerprint I enter there?
> 2. The link to the "current public keys" causes a 404 to me. I take it
> this one is the correct/new link (taken from releases.py):
> https://people.apache.org/keys/group/subversion.asc
> 3. If the new link I mention in no 2 is right, does the absence of the
> "-pmc" in the filename mean that that file contains now all keys from
> all contributors (including the partial contributers) instead of only
> the ones from the PMC and hence my key will be added automatically too
> without me having to do anything else?
>
> On the other hand the Apache release signing documentation [2] states:
> "The KEYS file is stored alongside the release archives to which it
> applies, e.g. at the top level of the ASF mirror area for the project.
> This is to ensure that it is available for download by users, and that
> it is automatically archived with historic releases.
> [...]
> *Note:* this system will be replaced by a better process in the near
> future. In preparation, please ensure that public keys are connected
> as strongly as possible to the Apache web of trust
> <http://www.apache.org/dev/release-signing.html#web-of-trust> and are
> available from the major public key servers
> <http://www.apache.org/dev/release-signing.html#keyserver>."
>
> 4. Am I assuming right that this process already took place and the
> reference of having to manually my public key to the KEYS file is
> therefore obsolete? If not, where is the file located for the
> Subversion project. I didn't find it on dist/subversion and failed to
> locate it on subversion/trunk.
>
> While writing this mail, I see that here's [3] now a list of
> (presumably) all Apache committers and my key is also listed there. So
> I take it that everything worked and all the other steps I read on the
> documentation are no longer required indeed, no?
>
> Regards,
> Stefan
>
> [1]
> https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
> [2] http://www.apache.org/dev/release-signing.html#keys-policy
> [3] https://people.apache.org/keys/committer/
>
--
Regards,
Stefan Hett
RE: pgp keys for signing releases
Posted by Bert Huijben <be...@qqmail.nl>.
Not entirely sure, but I think you should still publish your pgp key to the major key stores. Once you put your fingerprint on id.apache.org, it knows how to fetch your key from there.
Bert
Sent from Mail for Windows 10
From: Stefan
Sent: donderdag 28 april 2016 01:15
To: dev@subversion.apache.org
Subject: pgp keys for signing releases
Hi,
finishing up the creation of my apache key for signing SVN releases I ran into some details in the docs which seem to be outdated/unclear to me:
The SVN community-guide [1] states:
"Members of the PMC, as well as enthusiastic community members are encourages to download the tarballs from the preliminary distribution location, run the tests, and then provide their signatures. The public keys for these signatures should be included in the ASF LDAP instance through id.apache.org. (A list of the current public keys for members of the Subversion PMC is autogenerated from LDAP each day.)"
1. on id.apache.org I seem to only be able to specify the fingerprint of my key, but I can't find a way to upload the complete public key. Is this outdated? Is the process now picking up the key from the public keyservers based on the fingerprint I enter there?
2. The link to the "current public keys" causes a 404 to me. I take it this one is the correct/new link (taken from releases.py): https://people.apache.org/keys/group/subversion.asc
3. If the new link I mention in no 2 is right, does the absence of the "-pmc" in the filename mean that that file contains now all keys from all contributors (including the partial contributers) instead of only the ones from the PMC and hence my key will be added automatically too without me having to do anything else?
On the other hand the Apache release signing documentation [2] states:
"The KEYS file is stored alongside the release archives to which it applies, e.g. at the top level of the ASF mirror area for the project. This is to ensure that it is available for download by users, and that it is automatically archived with historic releases.
[...]
Note: this system will be replaced by a better process in the near future. In preparation, please ensure that public keys are connected as strongly as possible to the Apache web of trust and are available from the major public key servers."
4. Am I assuming right that this process already took place and the reference of having to manually my public key to the KEYS file is therefore obsolete? If not, where is the file located for the Subversion project. I didn't find it on dist/subversion and failed to locate it on subversion/trunk.
While writing this mail, I see that here's [3] now a list of (presumably) all Apache committers and my key is also listed there. So I take it that everything worked and all the other steps I read on the documentation are no longer required indeed, no?
Regards,
Stefan
[1] https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
[2] http://www.apache.org/dev/release-signing.html#keys-policy
[3] https://people.apache.org/keys/committer/