On Wed, Mar 15, 2017 at 5:42 PM, Junping Du <j...@hortonworks.com> wrote:
> Hi Eric, > Thanks for your verification work! About your question on RM's key, > we actually mentioned we were using https://dist.apache.org/repos/ > dist/release/hadoop/common/KEYS in our hadoop wiki page: > https://wiki.apache.org/hadoop/HowToRelease. Also, for hadoop user, our > release page (http://hadoop.apache.org/releases.html) points key file > location to the same place. So for developers and users in hadoop > community, I hope this is not confusing too much. > However, from my offline check with Owen, it sounds like > http://home.apache.org/keys/group/hadoop.asc is something tradition for > apache projects and convenient for usage. I already updated related key to > my apache id which should sync to there automatically. We'd better document > it also in our hadoop wiki page. > > I actually asked INFRA about this when I was adding my key, a little more backstory: We used to have a README in dist saying to add your key on id.apache.org, then to export the hadoop group's keys to generate dist's KEYS file. INFRA told me this is a Bad Thing, since the KEYS file should be append only. This way, users can still verify a release even if an RM leaves the hadoop group or changes their key on id.apache.org. So, I deleted the old README instructions. The dist KEYS file is the canonical (and only) place to look for an RM's keys. Based on Junping's examination, it sounds like our docs to reflect this. I'd rather not complicate matters by also discussing the hadoop group's keys. Best, Andrew
