On Mon, May 24, 2010 at 3:04 AM, Lukasz Lenart <lukasz.len...@googlemail.com> wrote: > 2010/5/23 Lukasz Lenart <lukasz.len...@googlemail.com>: >> 2010/5/23 Martin Cooper <mart...@apache.org>: >>> If an existing key has ever been used to sign a release, it should not >>> be removed from the KEYS file. It's still needed to verify those older >>> releases. New keys should just be added without removing anything that >>> was there before. >> >> I didn't know, I loose my old keys when my laptop was flooded :P >> I will merge with the previous version. > > One more question, I never used that key to sign anything (I tried, > but a Vote was cancelled). In such case maybe it's better to clean up > the KEYS file? >
I would say that whether the old key stays out depends on a few things... For one, you mentioned that you've never used that key to sign a release. If you can guarantee that, then I don't see the need to pull it back into the KEYS file (Martin, feel free to disagree, I'd back down pretty easy). The way I would guarantee is to scp all the releases from people.a.o (or wget from a mirror) and loop through them to make sure. Should be trivial, although it might kill your bandwidth ;). If you can't find anything that you've signed with the keys that no longer exist, I'd say leave it (for the sake of simplicity). But, I would also make a backup (I prefer to burn to a CD, then keep them somewhere safe) of your new private key. -Wes -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
