Branko Čibej <[email protected]> writes:

> I don't think this is correct. All the keys ever used to sign releases
> should be in here, even if they're now expired or revoked. In other
> words, the old fingerprints should still be listed on id.apache.org,
> which is the source of truth.

We seem to maintain two different kinds of KEYS files:

- https://dist.apache.org/repos/dist/release/subversion/KEYS
- https://dist.apache.org/repos/dist/dev/subversion/subversion-1.15.0-rc3.KEYS

The first is append-only and keeps every key that has ever been used to sign
a release.

The second is a point-in-time snapshot of the committers' current public keys,
and it is valid only for a specific release.  So I regenerated it to match the
current state.

I don't remember exactly why we have this distinction, but I believe there was
a lengthy discussion about it on dev@ at some point…


Thanks,
Evgeny Kotkov

Reply via email to