[
https://issues.apache.org/jira/browse/CASSANDRA-12239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15431653#comment-15431653
]
Mark Thomas commented on CASSANDRA-12239:
-----------------------------------------
With my Infra and Security team hats on, best practice is individual keys.
Shared keys are too insecure.
For specific cases (JAR signing, signing Windows binaries and signing stuff for
the Apple Store) that need keys that en-users will inherently trust (because
their OS trusts the relevant CAs) Infra provides access to a code signing
service but for normal releases (99+% of all ASF releases) OpenPGP signatures
from a committers key are sufficient.
> Add mshuler's key FE4B2BDA to dist/cassandra/KEYS
> -------------------------------------------------
>
> Key: CASSANDRA-12239
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12239
> Project: Cassandra
> Issue Type: Task
> Components: Packaging
> Reporter: Michael Shuler
> Assignee: Michael Shuler
> Priority: Blocker
> Fix For: 3.8
>
> Attachments: KEYS+mshuler.diff.txt
>
>
> I've started working on packaging with the 3.8 release and signed the staging
> artifacts with FE4B2BDA. This key will need to be added for the debian
> repository signature to function correctly, if it's released as-is, or
> perhaps [~tjake] will need to re-sign the release. Users will need to also
> fetch this new key and add to {{apt-key}}.
> {{KEYS}} patch attached.
> Assigned to myself, but I am not sure exactly where {{KEYS}} lives - in svn
> somewhere or a direct upload? :)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
