Oh that's right. Then we have to update one of them. Thanks, Yunze
On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <z...@apache.org> wrote: > > Hi, Yunze > > I think the KEYS file in the release repo is necessary. They are both > used to verify the release file. Otherwise, the user will fail when > checking the GPG signature on the release file. > > BR, > Zike Yang > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <y...@streamnative.io.invalid> wrote: > > > > Hi all, > > > > I found the GPG keys, which are used in verifying the signatures of > > release candidates, are much different in dev and release > > repositories: > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > From here [1], it seems like we need to append the GPG key of a > > committer into the release repo as well. But it seems that the KEYS > > file in the release repo is never used. Should we make them > > consistent? Or just remove the KEYS file in release repo? > > > > [1] > > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files
