On 4 September 2013 02:31, Tim Williams <william...@gmail.com> wrote:
> I notice that Chris just pointed[1] spark to the nifty keys
> listing[1]. Our docs still imply manual maintenance of the typical
> KEYS file[2]. Honestly, I didn't even know the ldap-driven one was
> around. I assume its fair for projects to just point to the
> p.a.o/keys/groups/${project}.asc file nowadays vs. copying that over
> periodically to KEYS?
The KEYS file has historically been manually maintained.
As new keys are used for signing releases, they are added to the file.
However entries should not be deleted if they have ever been used to
sign a release, otherwise it may not be possible to check the sigs of
archived artifacts.
LDAP does not have all historic keys, or even all historic RMs.
So replacing the KEYS file with a copy from LDAP may lose keys needed
for validating archived files.
Directing users to the p.a.o/keys/groups/${project}.asc files should
work for current releases.
But even that has an problem - if the RM leaves a project whilst the
release is still current, the project.asc file will no longer contain
the RM's key
The problem is even worse for older releases.
People may create new keys and drop old ones which have been used for signing.
People leave a project or the ASF and the LDAP entry is changed.
I don't think the LDAP keys are really suitable for use as a KEYS file
at present.
> Thanks,
> --tim
>
>
> [1] - http://people.apache.org/keys/group/spark.asc
> [2] -
> http://incubator.apache.org/guides/releasemanagement.html#distribution-signing
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
