On 04/05/2016 01:36 PM, Dennis E. Hamilton wrote:
Side question.
-----Original Message-----
From: Carl Marcum [mailto:cmar...@apache.org]
Sent: Tuesday, April 5, 2016 04:07
To: dev@openoffice.apache.org
Subject: [VOTE] Release Groovy UNO Extension 0.1.4
This is for a source release of Groovy UNO Extension 0.1.4 from Apache
OpenOffice
and binaries made available from Maven via Apache Nexus.
Source packages for RC1 are available at:
https://dist.apache.org/repos/dist/dev/openoffice/devtools/
and the reference revision is r1737622.
Binary Maven packages are staged here:
https://repository.apache.org/content/repositories/orgapacheopenoffice-
1019/
I'm signing with a new 4096 bit key I recently added to KEYS.
[orcmid]
I forgot to ask this when you mentioned the new key before.
Carl, is the fingerprint of this new key added to your account information at
id.apache.org?
I see only one entry for cmarcum at <https://people.apache.org/keys/committer/>
and that
ASF ID: cmarcum
LDAP PGP key: 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
pub 2048R/CED46810 2011-07-04 Carl Marcum <cmar...@apache.org>
Key fingerprint = 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810
uid Carl Marcum <carl.mar...@codebuilders.net>
sub 2048R/3175CD6A 2011-07-04
is for your older 2048-bit key. (Note that you can have any number of key
signatures in your account record and you should probably not remove any that
have been used in signing releases or for any other situation where
confirmation is needed that the key is one of yous as an ASF committer.)
The committer keys file is automatically updated from PGP key signatures and
will reflect countersignatures on your key (circle of trust attestations). If
the key is ever revoked for any reason, that will be discoverable there too
unless the fingerprint or apache account are removed. (Of course, you must
publish your new 4069-bit public key to a PGP key server for this to work.)
As far as I know, public keys in release-archive KEYS files are not
automatically synchronized in that manner, although the one associated with
projects is, such as the one at
<https://people.apache.org/keys/group/openoffice.asc>. This should *not* be used as
a release KEYS though. See <https://people.apache.org/keys/> for details.
What is needed in KEYS files for authenticating a release and stored in the
mirror directories is always cumulative, so any signature you have used to sign
a release (candidate) needs to be in the release-associated KEYS file. It is
nice to use the
<https://people.apache.org/keys/committer/>-accessed version of the key in our
KEYS file because that one has the Useful descriptive information as shown for your
2048-bit key, above.
Note that keys that have not been used in signing release candidates do not
need to be in release-associated KEYS files and it is good practice (and an
useful precaution) to keep it that way.
PS: None of this is a release blocker. But you can get the dots connected
before the [VOTE] concludes. I assume there is no further reason to touch the
KEYS file that you have already updated.
- Dennis
Hi Dennis,
Thank you for the reminder.
My new key was uploaded to public servers. ex.
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF1DA7E3B9553BF9A
Before the vote I manually added it to
http://www.apache.org/dist/openoffice/KEYS
I have just now added the new fingerprint to my profile at
https://id.apache.org/
for reference it is:
pub 4096R/9553BF9A 2016-04-02
Key fingerprint = 813A C3C2 48B3 F26F B5D1 EB32 F1DA 7E3B 9553 BF9A
uid Carl Marcum (CODE SIGNING KEY) <cmar...@apache.org>
uid Carl Marcum (CODE SIGNING KEY)
<carl.mar...@codebuilders.net>
sub 4096R/D8524D84 2016-04-02
Is there now something that needs fixed?
Thanks,
Carl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
