Actually we shouldn't have a "dev" KEYS file. It is confusing. I suggest dropping it.
When a new committer wants to cut a release they can ask for help to the PMC to add their KEY to the "release" KEYS Enrico Il giorno ven 17 feb 2023 alle ore 09:21 Yunze Xu <y...@streamnative.io.invalid> ha scritto: > > Oh that's right. Then we have to update one of them. > > Thanks, > Yunze > > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <z...@apache.org> wrote: > > > > Hi, Yunze > > > > I think the KEYS file in the release repo is necessary. They are both > > used to verify the release file. Otherwise, the user will fail when > > checking the GPG signature on the release file. > > > > BR, > > Zike Yang > > > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <y...@streamnative.io.invalid> > > wrote: > > > > > > Hi all, > > > > > > I found the GPG keys, which are used in verifying the signatures of > > > release candidates, are much different in dev and release > > > repositories: > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > From here [1], it seems like we need to append the GPG key of a > > > committer into the release repo as well. But it seems that the KEYS > > > file in the release repo is never used. Should we make them > > > consistent? Or just remove the KEYS file in release repo? > > > > > > [1] > > > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files
