Four suggestions: 1. Add a UID having your Apache ID, randgalt@ apache.org, in that PGP public-key certificate. You can indicate that it is your preference for code signing, if you desire.
2. Log into your randgalt@ a.o profile at <https://id.apache.org/> and provide the fingerprint of your key as part of your profile. This will accomplish two things: (1) It establishes that the fingerprint was provided by someone having the ASF credentials for randgalt@ a.o; (2) it causes the public key to be added to a secure location as file <https://people.apache.org/keys/committer/randgalt.asc>. That file is regularly synchronized with PGP key services and confirms that it is the key provided by randgalt@ in step (1) and also reflects (web-of-trust) certifications of that key by others as well as any revocation if that becomes necessary. 3. BONUS RECOMMENDATION. Do not put a copy of the public key in the repository. Instead, put a link to <https://people.apache.org/keys/committer/randgalt.asc> there, if desired. If it is in a file called KEYS, update the instructions to refer to the locations in the committer keys folder. (If there will be many release managers and signers in the future, you can instead instruct users to obtain all Curator committer keys from <https://people.apache.org/keys/group/curator.asc> once Curator becomes an ASF top-level project.) 4. GRAND PRIZE RECOMMENDATION. For all external signatures that you create, add to the ascii-armored signature text (outside of the armor) a link to <https://people.apache.org/keys/committer/randgalt.asc>. The idea is to use access to your Apache profile as an additional factor beyond your self-signing of the certificate and any web-of-trust certifications of your certificate. It also lets those non-ASF folk who desire to verify signatures know whose signature the verification is expected to confirm and that the signer is an ASF committer. - Dennis -----Original Message----- From: Jordan Zimmerman [mailto:jor...@jordanzimmerman.com] Sent: Wednesday, May 01, 2013 13:39 To: general@incubator.apache.org Subject: Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated) That was (yet another) misunderstanding on my part. The KEYS are now in the standard (?) location: http://www.apache.org/dist/incubator/curator/KEYS On May 1, 2013, at 1:32 PM, Marvin Humphrey <mar...@rectangular.com> wrote: > On Wed, May 1, 2013 at 1:07 PM, David Nalley <da...@gnsa.us> wrote: >> While we are at it, a link to your project's KEYS file would be >> helpful as well. > > Just unzip the archive. ;) > > Curator folks, please find another way to distribute the KEYS file. > Distributing it embedded in the source archive is worthless at best. > > Marvin Humphrey > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
