You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mxnet.apache.org by Naveen Swamy <mn...@gmail.com> on 2018/10/17 20:29:18 UTC
Storing PGP Key for Publishing packages
I am collaborating with Zach Kimberg and Qing to work on automatic (
currently its very tedious and time consuming) publishing the MXNet-Scala
maven package to Apache Snapshot repo(either as nightly or weekly), for
publishing the package the artifacts need to be signed with a committer's
key, however Zach found Apache seems to strictly advise against storing the
PGP Keys, so I suggested to look at what Spark is doing and he found that
they are releasing to Apache Snapshots as a nightly job so they got to be
storing the credentials on the host.
I am looking for advise from Mentors on how to proceed with this?
One option(not preferable) is to publish to a private Repo or an S3 bucket
and only during the release and the keys continue to remain in the
committers control.
-- Advise on PGP Key storage on Apache website--
“It is recommended that you create a PGP key for your apache.org address
now (or add that address to an existing key, if you have one). *DO NOT* create
this key on any machine to which multiple users have access and *DO NOT*,
ever, copy your private key to any other shared machine. Release managers
need to take particular care of keys used to sign releases
<https://www.apache.org/dev/release-signing.html#private-key-protection>.“ (
https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
)
“Strictly speaking, releases must be *verified
<https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl>*
on
hardware owned and controlled by the committer. That means hardware the
committer has physical possession and control of and exclusively full
administrative/superuser access to. That's because only such hardware is
qualified to hold a PGP private key, and the release should be verified on
the machine the private key lives on or on a machine as trusted as that.” (
https://www.apache.org/legal/release-policy.html#release-signing)
---
Thanks, Naveen
Re: Storing PGP Key for Publishing packages
Posted by Pedro Larroy <pe...@gmail.com>.
Do nightly artifacts need to be signed? For releases what you wrote and what Apache recommends makes total sense. Thus artifacts from cd can’t be signed manually.
Pedro
> On 17. Oct 2018, at 22:29, Naveen Swamy <mn...@gmail.com> wrote:
>
> I am collaborating with Zach Kimberg and Qing to work on automatic (
> currently its very tedious and time consuming) publishing the MXNet-Scala
> maven package to Apache Snapshot repo(either as nightly or weekly), for
> publishing the package the artifacts need to be signed with a committer's
> key, however Zach found Apache seems to strictly advise against storing the
> PGP Keys, so I suggested to look at what Spark is doing and he found that
> they are releasing to Apache Snapshots as a nightly job so they got to be
> storing the credentials on the host.
> I am looking for advise from Mentors on how to proceed with this?
>
> One option(not preferable) is to publish to a private Repo or an S3 bucket
> and only during the release and the keys continue to remain in the
> committers control.
>
> -- Advise on PGP Key storage on Apache website--
>
>
> “It is recommended that you create a PGP key for your apache.org address
> now (or add that address to an existing key, if you have one). *DO NOT* create
> this key on any machine to which multiple users have access and *DO NOT*,
> ever, copy your private key to any other shared machine. Release managers
> need to take particular care of keys used to sign releases
> <https://www.apache.org/dev/release-signing.html#private-key-protection>.“ (
> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
> )
>
> “Strictly speaking, releases must be *verified
> <https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl>*
> on
> hardware owned and controlled by the committer. That means hardware the
> committer has physical possession and control of and exclusively full
> administrative/superuser access to. That's because only such hardware is
> qualified to hold a PGP private key, and the release should be verified on
> the machine the private key lives on or on a machine as trusted as that.” (
> https://www.apache.org/legal/release-policy.html#release-signing)
>
> ---
>
>
> Thanks, Naveen