[
https://issues.apache.org/jira/browse/CASSANDRA-12239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385574#comment-15385574
]
Sylvain Lebresne commented on CASSANDRA-12239:
----------------------------------------------
While we're talking about that, I've always feel like this was weird to sign
the packages with personal keys, since people doing releases change and that
means users have to regularly add news keys, and I wonder how "safe" that ends
up being.
I wonder how feasible it would be to create one key for Cassandra that any
committer could use and that wouldn't change all the time? Probably would have
to check with INFRA for how other project do it, assuming anyone else does
debian packages.
I'm also not entirely sure why we use that {{KEYS}} file which as far as I can
tell is mostly a list of debian devs (except for us that is).
> Add mshuler's key FE4B2BDA to dist/cassandra/KEYS
> -------------------------------------------------
>
> Key: CASSANDRA-12239
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12239
> Project: Cassandra
> Issue Type: Task
> Components: Packaging
> Reporter: Michael Shuler
> Assignee: Michael Shuler
> Fix For: 3.x
>
> Attachments: KEYS+mshuler.diff.txt
>
>
> I've started working on packaging with the 3.8 release and signed the staging
> artifacts with FE4B2BDA. This key will need to be added for the debian
> repository signature to function correctly, if it's released as-is, or
> perhaps [~tjake] will need to re-sign the release. Users will need to also
> fetch this new key and add to {{apt-key}}.
> {{KEYS}} patch attached.
> Assigned to myself, but I am not sure exactly where {{KEYS}} lives - in svn
> somewhere or a direct upload? :)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
