On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote: > Hi all, > > We have been following some release guides for release management([1], > [2]). They state that we have to generate GPG keys for signing. > My question is that, is it better to get the packs signed by a mentor for > incubating release? > > Thanks. > > [1] http://airavata.apache.org/development/release-management.html > [2] http://airavata.apache.org/development/release-management.html
IMO, whomever wants to be the release manager for your first release should be the one to sign the artifact. Now, if you are creating a new key for it, and aren't connected to the larger ASF web or trust, that can be seen as a weakness. We can solve that though! As part of voting (if someone votes +1), they have the option of providing a signature that can be added to the detached signature file for the release before it's committed to the release dir in svn. So... That's where mentors can help. When I vote, if it's a +1, I'll add my signature. Others should consider doing the same. -chip
