I think we’re confusing two concepts: signing each others’ keys and adding them to the KEYS file.
It is reasonable that we, as a community, extend the web of trust by mutual signing. Let’s suppose Wes and I have signed each other’s keys. Someone from the Pandas community, who knows Wes, downloads a release of Calcite, signed by me. The downloader trusts the release because they trust Wes, and because Wes trusts me, they trust me. Wes is not explicitly in the Calcite KEYS file, because he has never made a Calcite release, but his digital signature is encoded into in the long string of bytes (the PGP public key block) that make up my key. Wes’s key is also available from internet key servers. I suggest that as a community, we sign each other’s keys. When one of us becomes a release manager for Arrow, add our key to the KEYS file. (And periodically update the KEYS file, because each time someone signs our key, the public key block gets a little larger.) But there’s no point adding your key to the KEYS file if you’re not an RM. Upload your key to a key server and it’s there for anyone who wants it. Julian > On Mar 20, 2023, at 2:46 AM, Sutou Kouhei <k...@clear-code.com> wrote: > > Hi, > > Ah, you're right. I forgot it. Committers can add their PGP > key to > https://dist.apache.org/repos/dist/dev/arrow/KEYS (not release) > but can't add their PGP key to > https://dist.apache.org/repos/dist/release/arrow/KEYS > . Only PMC members can add their PGP key to > https://dist.apache.org/repos/dist/release/arrow/KEYS > . > > A committer can be a release manager (like Raúl for Apache > Arrow 11.0.0 release) but a PMC member (like me for Apache > Arrow 11.0.0 release) needs to sign artifacts. > > > Ben, sorry. You can't release the Julia implementation for > now because > https://github.com/apache/arrow-julia/blob/main/dev/release/release_rc.sh > requires signing and it's the main task for the Julia > implementation release. We'll be able to invite you to PMC > in near future if you continue to contribute the Julia > implementation. > > But we can proceed The Web of Trust process now in case Ben > becomes a PMC member. Could any PMC member help this? > > > Thanks, > -- > kou > > In <d040580e-6868-41ad-b3cc-e8de35b38...@googlemail.com> > "Re: Apache Arrow PGP Key" on Mon, 20 Mar 2023 09:05:04 +0000, > Raphael Taylor-Davies <r.taylordav...@googlemail.com.INVALID> wrote: > >> Hi, >> >> I could be mistaken, but I was under the impression the KEYS file only >> contained GPG keys of PMC members >> >> Kind Regards, >> >> Raphael >> >>> On 20 March 2023 02:21:02 GMT, Sutou Kouhei <k...@clear-code.com> wrote: >>> Hi, >>> >>> Could any PMC member help this? >>> >>> Thanks, >>> -- >>> kou >>> >>> In <calm9rpty850sn8k79y7bbjcsk-ugchnageqfk0nmk2metl8...@mail.gmail.com> >>> "Apache Arrow PGP Key" on Tue, 14 Mar 2023 21:56:44 -0400, >>> Ben Baumgold <b...@baumgold.com> wrote: >>> >>>> Hi, >>>> >>>> I recently became an Apache Arrow Committer. As part of this, I would like >>>> to add my PGP key to the Apache Arrow release KEYS file >>>> <https://dist.apache.org/repos/dist/release/arrow/KEYS>. My understanding >>>> is that I need someone to add me to The Web of Trust (link >>>> <https://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html>). >>>> Are you able to help me with this? >>>> >>>> Thanks, >>>> Ben Baumgold
