Hi Piotr, On Mon, Nov 10, 2025 at 8:22 AM Piotr P. Karwasz <[email protected]> wrote: > > Hi Gary, > > On 2.11.2025 13:11, [email protected] wrote: > > +pub ed25519 2025-10-27 [SC] > > + F4DD59C90148BDC52BEB90A4530AA5F25C25011F > > +uid [ultimate] Gary Gregory <[email protected]> > > +sig 3 530AA5F25C25011F 2025-11-02 [self-signature] > > +uid [ultimate] Gary D. Gregory <[email protected]> > > +sig 3 530AA5F25C25011F 2025-11-02 [self-signature] > > +uid [ultimate] Gary Gregory <[email protected]> > > +sig 3 530AA5F25C25011F 2025-10-27 [self-signature] > > +sub cv25519 2025-10-27 [E] > > +sig 530AA5F25C25011F 2025-10-27 [self-signature] > > > Do we have a formal procedure for key rotations?
See https://infra.apache.org/key-transition.html > > Since your key is effectively the authoritative one for Commons, I’d > expect at least the following steps: > > - Signing the new key with your old key (86fdc7e2a11262cb), There is a discussion in the page above "for and against signing the old key with the new". You're suggesting the opposite? I did neither. > - Uploading the new key to a public keyserver (I couldn’t find it on > keyserver.ubuntu.com, though all keyservers should sync eventually), I just sent it to hkps://keyserver.ubuntu.com > - Possibly documenting the change via an announcement on user@, dev@, > and the Commons website. > > Are there any additional steps we should take? See https://infra.apache.org/key-transition.html#update-documents > Since I haven’t signed > any releases myself (in Logging Services the CI handles that), my > signature wouldn’t add much value for end users, but perhaps it could > be signed by other keys used for recent Commons releases. > > Is there an established procedure for signing code-signing keys? See https://infra.apache.org/key-transition.html#wot There are a lot of pages to read, starting with https://infra.apache.org/key-transition.html ... HTH, Gary > The > usual approach (meeting in person to verify fingerprints and check a > government-issued ID) doesn’t really apply here. After all, the ASF > relies on social identity within the community rather than state-issued > identification. However, we could sign your new key and send it to your > ASF email address as a form of verification. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
