KEYS is a very for all existing public keys. Not for a specific individual. Are you misunderstanding this?
Sheng Wu 吴晟 Twitter, wusheng1108 LinkinStar <linkins...@apache.org> 于2023年12月20日周三 15:31写道: > > Hi Xuanwo, > > Thank you very much for your suggestions. I'm very sorry, perhaps my > understanding of the release signature is a little misguided. This is > because we feel that there can only be one download address for KEYS, e.g. > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS. If there > can only be one public key, then there can only be one private key. So we > previously felt that all published content can always have only one private > key to sign. That's why we use this mode. Because we would think that if a > different person were to sign it, then the public key would change and the > previous release would not be verified. For example, The A RM signed the > released version 1.0.0. The B RM signed the released version 1.1.0. If B > replaces the public key > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS, then > version 1.0.0 will fail to verify it if you use the same public key. > > Best regards, > LinkinStar > > On Wed, Dec 20, 2023 at 3:06 PM Xuanwo <xua...@apache.org> wrote: > > > > Regarding the signature issue you mentioned, only release manager and > > joyqi > > > know the secret GPG keys. This is to ensure that no matter what the > > problem > > > is, there is someone available to help resolve issues that arise in the > > > release. > > > > I feel like it's better to use different gpg keys that owned by RM > > themselves. > > > > As the community expands, we'll welcome new PPMC members and Release > > Managers (RMs) from outside your company. Regarding security, it's risky > > for RMs to share GPG keys. In terms of community independence, the release > > process should not be overly reliant on joyqi. Should joyqi be unavailable > > or preoccupied, can the release process continue without interruption? > > > > On Wed, Dec 20, 2023, at 14:57, LinkinStar wrote: > > > Hi Xuanwo, > > > > > > Firstly, these files in the vaunt folder are reward badges for user > > > contributions. For now, we are using it. > > > Regarding the signature issue you mentioned, only release manager and > > joyqi > > > know the secret GPG keys. This is to ensure that no matter what the > > problem > > > is, there is someone available to help resolve issues that arise in the > > > release. > > > > > > Best regards, > > > LinkinStar > > > > > > On Wed, Dec 20, 2023 at 2:41 PM Xuanwo <xua...@apache.org> wrote: > > > > > >> Hi, > > >> > > >> I found those images are included in source tarball: > > >> > > >> - .vaunt/bug.png > > >> - .vaunt/enhancement.png > > >> > > >> Are they needed by users? Is it possible to remove them from the src > > >> release? > > >> > > >> Regarding PGP signatures, I'm confident that all are valid. But I found > > >> that those tarball > > >> are signed by jo...@apache.org which is not the release manager. > > >> > > >> Are you internally sharing jo...@apache.org's secret GPG keys? Or have > > >> you signed those > > >> tarballs through CI with the key stored as GitHub secrets? > > >> > > >> On Wed, Dec 20, 2023, at 14:25, LinkinStar wrote: > > >> > Hello, > > >> > > > >> > This is a call for vote to release Apache Answer(Incubating) > > version > > >> > v1.2.1-RC1. > > >> > > > >> > The vote thread: > > >> > > > https://lists.apache.org/thread/w9ybd1rygd4x9o9ryx3k2ho3n49664p6 > > >> > > > >> > Vote Result: > > >> > > > https://lists.apache.org/thread/7h9rmwn7fbrn7dhk1620lzj43063r7vj > > >> > > > >> > The release candidates: > > >> > > > >> > > > >> > > https://dist.apache.org/repos/dist/dev/incubator/answer/1.2.1-incubating-RC1/ > > >> > > > >> > Release notes: > > >> > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > >> > > > >> > Git tag for the release: > > >> > > > >> https://github.com/apache/incubator-answer/releases/tag/v1.2.1-RC1 > > >> > > > >> > Git commit id for the release: > > >> > > > >> > > > >> > > https://github.com/apache/incubator-answer/commit/82fdfc77636d8d1ce28710d929a8c22bb52834ef > > >> > > > >> > Keys to verify the Release Candidate: > > >> > > > https://dist.apache.org/repos/dist/release/incubator/answer/KEYS > > >> > > > >> > The vote will be open for at least 72 hours or until the necessary > > >> > number of votes are reached. > > >> > > > >> > Please vote accordingly: > > >> > > > >> > [ ] +1 approve > > >> > [ ] +0 no opinion > > >> > [ ] -1 disapprove with the reason > > >> > > > >> > Checklist for reference: > > >> > > > >> > [ ] Download links are valid. > > >> > [ ] Checksums and PGP signatures are valid. > > >> > [ ] Source code distributions have correct names matching the > > current > > >> > release. > > >> > [ ] LICENSE and NOTICE files are correct for each Answer repo. > > >> > [ ] All files have license headers if necessary. > > >> > [ ] No unlicensed compiled archives bundled in source archive. > > >> > > > >> > To compile from the source, please refer to: > > >> > > > >> > https://github.com/apache/incubator-answer#building-from-source > > >> > > > >> > Thanks, > > >> > LinkinStar > > >> > > >> -- > > >> Xuanwo > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > >> For additional commands, e-mail: general-h...@incubator.apache.org > > >> > > >> > > > > -- > > Xuanwo > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
