Hey Mentors, Is this the right mental model:
1. Create a compressed file of the source release. 2. Sign it 3. Upload the release candidate + crypto signature to https://dist.apache.org/ 4. Vote 5. Move release candidate to be actual release. 6. Do any github/pypi stuff that's equivalent. ? Questions: 1. Can we sign up for automated release signing <https://infra.apache.org/release-signing.html#automated-release-signing>? Or explain if we do it off a laptop, how do we manage private keys? 2. How do we get access to uploading things to https://dist.apache.org/ ? 3. It seems like there is no single way to sign a package, we just have to sign it with something that's approved, right? 4. Who can create the pypi packages with the apache- prefix? Is that something infra owns? Or we do it ourselves? I want to dual publish the packages. Cheers, Stefan
