And when should it get updated?
Currently our KEYS file: that contains the public keys of those that can signed released binary artifacts; only contains a few of the PMC. My understanding is that we've avoid updating it because it causes headache for operators in having to validate the authenticity of a new key that's signed a binary when upgrading. If this is accurate, how prevalent is this problem actually on operators? Do some operators download the KEYS fresh from apache.org every release? Are the keys of our PMCs already in the existing web of trust? I'm not knowledgeable on the precedence here for operators, and curious to what's the community's stance (and why)… And whether it is the time right to add all/more our PMC to the file? And whether we should always add new PMC to the file (if they're already in the web of trust?)? cheers, Mick https://www.apache.org/info/verification.html#Validating https://www.apache.org/dyn/closer.cgi#verify https://dist.apache.org/repos/dist/release/cassandra/KEYS --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org