Thanks Anthony Roman, thanks for your offer to help with PGP, I'm sure we'll need it soon :)
As a follow-up, I've created the JIRA (GEODE-776) to add the KEYS file. Will create mine shortly and comment. Best, Nitin ________________________________________ From: [email protected] <[email protected]> on behalf of Roman Shaposhnik <[email protected]> Sent: Monday, January 11, 2016 8:09 PM To: [email protected] Subject: Re: releaseType? Seems like our emails have crossed. At this point you need to assemble a few trusted keys (yours, Nitin's, Mark's and perhaps a few other folks' as the minimum set) into a single key file and make it available in SVN tree that manages ASF releases. I suggest opening a GEODE jira asking folks to share their keys specially designed to sign release as comments in that JIRA. Note that it is best to have an identity bound to our kye clearly designated as a release management key. E.g.: https://dist.apache.org/repos/dist/release/bigtop/KEYS pub 1024D/9475BD5D 2010-10-08 uid Roman V Shaposhnik (CODE SIGNING KEY) <[email protected]> sig 3 9475BD5D 2011-11-01 Roman V Shaposhnik (CODE SIGNING KEY) <[email protected]> Thanks, Roman. P.S. I'm kind of a crypto geek in my prior life so please let me know if more background on how to manange release signing keys would be useful to you On Mon, Jan 11, 2016 at 7:44 PM, Anthony Baker <[email protected]> wrote: > Here’s my key but I’m not sure if it is sufficiently trusted yet: > > http://pgp.surfnet.nl/pks/lookup?op=vindex&search=abaker%40apache.org&fingerprint=on > > Anthony > > > On Jan 11, 2016, at 6:54 PM, Nitin Lamba <[email protected]> wrote: > > Great! > > If we're good with the latest versions of NOTICE and LICENSE files, we're > about done with the src artifacts ready for review by ASF elders. > > The next step is code-signing and needs a few committers to have their PGP > signatures uploaded on a public key server [1]. More details on release > signing here [2], [3]. Is anyone from Geode PMC already in the 'web of > trust'? I do see Roman on the list. > > - Nitin > > [1] https://people.apache.org/committers.html > [2] http://www.apache.org/dev/release-signing.html#link-into-wot > [3] http://www.apache.org/dev/openpgp.html#wot > >
