>> we copy a KEYS file into that directory upon succesful VOTE of the release >> artifacts (which also include the KEYS file). > > Perhaps, but the point we're getting at was explicitly stated by Benson, > "The goal here is to allow and encourage consumers to independently verify > signatures. That calls for KEYS somewhere else than inside the package."
I am sorry to ask it again, but why can't the incubator have a policy to make people use: https://id.apache.org/ to store their signing key. Then we have them listed for each projects there: https://people.apache.org/keys/ Was it not meant that way? Cheers Christian --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
