[
https://issues.apache.org/jira/browse/RANGER-750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15472137#comment-15472137
]
Sebb commented on RANGER-750:
-----------------------------
As explained above, the KEYS file cannot be re-created as shown.
The KEYS file must contain all keys ever used to sign a release (it's also used
for archived releases).
However the group/ranger.asc file will only contain the current keys for the
current members of the LDAP group.
If a new key is used to sign a release, just add it to the existing KEYS file.
The list of keys is unlikely to change very frequently.
> Spurious file in https://dist.apache.org/repos/dist/release/incubator/ranger/
> -----------------------------------------------------------------------------
>
> Key: RANGER-750
> URL: https://issues.apache.org/jira/browse/RANGER-750
> Project: Ranger
> Issue Type: Bug
> Environment:
> https://dist.apache.org/repos/dist/release/incubator/ranger/
> Reporter: Sebb
> Assignee: Selvamohan Neethiraj
>
> he directory https://dist.apache.org/repos/dist/release/incubator/ranger/
> contains the file:
> download-keys.sh
> This does not belong on the ASF mirror system.
> Also the script is not suitable for downloading KEYS.
> The file https://people.apache.org/keys/group/ranger.asc is not guaranteed to
> contain all the keys needed to validate a signature, because the file only
> contains the current keys for the current members of the PPMC. However the
> KEYS file is also used for checking archived releases so must contain all
> keys that have ever been used to sign a release.
> Please remove the script file, and ensure that the KEYS file contains all the
> keys for every ASF release that has been made. Entries should never be
> dropped from KEYS files if they have been used to sign a release.
> Thanks
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
