On Sep 12, 2013, at 9:22 AM, Chip Childers <[email protected]> wrote:
> On Thu, Sep 12, 2013 at 06:19:42PM +0530, Lahiru Sandaruwan wrote: >> Hi all, >> >> We have been following some release guides for release management([1], >> [2]). They state that we have to generate GPG keys for signing. >> My question is that, is it better to get the packs signed by a mentor for >> incubating release? >> >> Thanks. >> >> [1] http://airavata.apache.org/development/release-management.html >> [2] http://airavata.apache.org/development/release-management.html > > IMO, whomever wants to be the release manager for your first release > should be the one to sign the artifact. Now, if you are creating a new > key for it, and aren't connected to the larger ASF web or trust, that > can be seen as a weakness. > > We can solve that though! As part of voting (if someone votes +1), they > have the option of providing a signature that can be added to the > detached signature file for the release before it's committed to the > release dir in svn. > > So... That's where mentors can help. When I vote, if it's a +1, I'll > add my signature. Others should consider doing the same. + 1 for this approach though. Although I assume with good number of apache committers in Srilanka, the release manager (assuming will be from one of the currently active Stratos PPMC members in SL), should be able to meet fellow committers in person and get their key signed. Suresh > > -chip
