On Tue, Jun 28, 2011 at 10:20 AM, Christian Grobmeier <grobme...@gmail.com> wrote: >>> we copy a KEYS file into that directory upon succesful VOTE of the release >>> artifacts (which also include the KEYS file). >> >> Perhaps, but the point we're getting at was explicitly stated by Benson, >> "The goal here is to allow and encourage consumers to independently verify >> signatures. That calls for KEYS somewhere else than inside the package." > > I am sorry to ask it again, but why can't the incubator have a policy > to make people use: > https://id.apache.org/ > to store their signing key. > > Then we have them listed for each projects there: > https://people.apache.org/keys/ > > Was it not meant that way?
AIUI this infrastructure is relative new and intended to add defense-in-depth IMHO the IPMC should only document (any volunteers?) a strong recommendation but leave policy in this area to the experts over in infrastructure Robert --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
