At 03:37 PM 10/7/2004, hammett wrote: >From: "William A. Rowe, Jr." <[EMAIL PROTECTED]> > >> There is one interesting consideration... do we want two separate >> keys, one dev key (the one in there now) used by anyone who builds >> this package themselves (unless, if they would like they can create >> their own) ... and the other used for official binary release (and >> held by the release manager alone)? > >This is a pain, but seems like a one viable strategy. A better strategy >would be to have the key on the SVN but not publically available.
When we deal in pgp key files, we countersign one another's keys but maintain strict possession of our own. I'm thinking that if we have, instead of a KEYS file, another master file containing the keys of all release managers. Anyone can use the public key for their own -dev builds, or stuff in their own, but either way the mod_aspdotnet must match to the Apache.Web sk file. The big pain would be if a user tried to build -only- mod_aspdotnet or Apache.Web themselves. At that point they would be out-of-sync. Of course, with a bit of documentation in README this problem could be dispensed with right away.
