Branko Čibej <[email protected]> writes: > I don't think this is correct. All the keys ever used to sign releases > should be in here, even if they're now expired or revoked. In other > words, the old fingerprints should still be listed on id.apache.org, > which is the source of truth.
We seem to maintain two different kinds of KEYS files: - https://dist.apache.org/repos/dist/release/subversion/KEYS - https://dist.apache.org/repos/dist/dev/subversion/subversion-1.15.0-rc3.KEYS The first is append-only and keeps every key that has ever been used to sign a release. The second is a point-in-time snapshot of the committers' current public keys, and it is valid only for a specific release. So I regenerated it to match the current state. I don't remember exactly why we have this distinction, but I believe there was a lengthy discussion about it on dev@ at some point… Thanks, Evgeny Kotkov

