Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400: > I've read this entire thread (whew!), and would actually like to throw out > a contrary position: > > No signed keys. > > Consider: releases come from the ASF, not a person.
Therefore, releases should be signed by the ASF as an organisation, not by individual persons. Right? > The RM builds the > release artifacts and checks them into version control along with hash > "checksums". Other PMC members validate the artifacts for release criteria > and matching checksums, voting +1 via version control. > > All of the above is done via authenticated ASF accounts. The above > establishes an ASF release. > > Please explain how "keys" are needed for this ASF release? Consumers are > already told to verify the SHA1 and nothing more. I doubt any more is > needed. > > (assume secure Infrastructure) > > Cheers, > -g Daniel (infra hat off, devil's advocate hat on) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
