[
https://issues.apache.org/jira/browse/LUCENE-5143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16104538#comment-16104538
]
Uwe Schindler commented on LUCENE-5143:
---------------------------------------
Hi,
we just have to ensure that *all* old keys keep alive in the general keys file,
also OLD keys of people that changed their keys. So in general never ever
delete a key from Apache's id.apache.org system, unless you want to re-sign all
artifacts you published.
If we can ensure thia I am fine with deleting the per version files.
Maybe we should do some crosscheck: Collect all key IDs from all files on
dist.apache.org and calculate a union of it. After that check that all keys are
also present in the global file. If not, as the committers to re-upload the
old/outdated public keys from the old keys file to their id.apache.org accounts.
Uwe
> rm or formalize dealing with "general" KEYS files in our dist dir
> -----------------------------------------------------------------
>
> Key: LUCENE-5143
> URL: https://issues.apache.org/jira/browse/LUCENE-5143
> Project: Lucene - Core
> Issue Type: Task
> Reporter: Hoss Man
> Attachments: LUCENE-5143.patch, LUCENE-5143_READMEs.patch
>
>
> At some point in the past, we started creating a snapshots of KEYS (taken
> from the auto-generated data from id.apache.org) in the release dir of each
> release...
> http://www.apache.org/dist/lucene/solr/4.4.0/KEYS
> http://www.apache.org/dist/lucene/java/4.4.0/KEYS
> http://archive.apache.org/dist/lucene/java/4.3.0/KEYS
> http://archive.apache.org/dist/lucene/solr/4.3.0/KEYS
> etc...
> But we also still have some "general" KEYS files...
> https://www.apache.org/dist/lucene/KEYS
> https://www.apache.org/dist/lucene/java/KEYS
> https://www.apache.org/dist/lucene/solr/KEYS
> ...which (as i discovered when i went to add my key to them today) are stale
> and don't seem to be getting updated.
> I vaguely remember someone (rmuir?) explaining to me at one point the reason
> we started creating a fresh copy of KEYS in each release dir, but i no longer
> remember what they said, and i can't find any mention of a reason in any of
> the release docs, or in any sort of comment in buildAndPushRelease.py
> we probably do one of the following:
> * remove these "general" KEYS files
> * add a disclaimer to the top of these files that they are legacy files for
> verifying old releases and are no longer used for new releases
> * ensure these files are up to date stop generating per-release KEYS file
> copies
> * update our release process to ensure that the general files get updated on
> each release as well
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
