Re: [VOTE] Release Apache Beam, version 0.1.0-incubating

Mon, 13 Jun 2016 12:18:12 -0700 

Hi Marvin,

thanks for the feedback. I will push the KEYS on dist.a.o.

Regards
JB

On 06/13/2016 09:08 PM, Marvin Humphrey wrote:

On Mon, Jun 13, 2016 at 11:37 AM, Julian Hyde <jh...@apache.org> wrote:


2. It’s customary (required?) for there to be a KEYS file in
https://dist.apache.org/repos/dist/dev/incubator/beam/
<https://dist.apache.org/repos/dist/dev/incubator/beam/>. Maybe include it
next release?


The KEYS file is required, by Release Distribution Policy.

   http://www.apache.org/dev/release-distribution#sigs-and-sums

   Projects MUST publish a "KEYS" file in their distribution directory which
   contains all public keys used to sign artifacts.

   Signing keys used at Apache MUST be published in the KEYS file and SHOULD be
   made available through the global public keyserver network. [...]

Since the KEYS file is not part of the artifacts being voted on, there's no
reason to wait to resolve this issue by committing the keys file to the
following location:

   https://dist.apache.org/repos/dist/release/incubator/beam/KEYS


But I imported
https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS
<https://github.com/apache/incubator-beam/blob/v0.1.0-incubating-RC3/KEYS>
easily enough.


Bundling PGP keys inside a package is worse than worthless -- an attacker can
just bundle spoofed keys with a bogus distro!  Keys need to be made available
from a highly reliable, separate server: Download the main package from a
mirror, get PGP keys from apache.org, pgp.mit.edu, etc. and verify.

The KEYS file within the Beam source tree should be deleted.

(This doesn't block the release.)

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org



--
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Reply via email to