Dave,
On 6/19/26 2:42 PM, Dave Fisher wrote:
We are close to rolling out the ATR Beta and were reviewing gaps
with PMC’s that have more than one KEYS files in their distribution
area. There are only a handful which are mostly PMCs that came out
of umbrella projects. These mostly have a key file for each
subproject. Tomcat goes further as you have a KEYS file for each
Tomcat major version.
Would Tomcat have a problem using ATR if this meant a single KEYS
file for the whole PMC?
I think we would be okay with a single KEYS file for the whole PMC.
While we have a large number of releases (~3 per month), our release
managers are fairly table so the file won't see a tremendous amount of
turnover for the foreseeable future.
You can see how this will work at https://release-test.apache.org/
committees/tomcat
It's not entirely clear to me where the current list of keys is coming
from. We have a KEYS file in the root of our main branch but that
doesn't seem to be what's there. Is the KEYS file for ATR assembled from
the PGP keys registered here for each release manager?
https://release-test.apache.org/keys
According to:
- https://release-test.apache.org/docs/promoting-to-release#the-keys-
file
ATR will use a file that tomcat doesn't currently maintain, plus some
other keys that look like they match what I asked about above.
- https://release-test.apache.org/docs/signing-artifacts#optional-
steps
Please let us know so we can determine if we have more necessary
work prior to Beta (or during beta).
This doesn't seem onerous at all. Is it okay if we upload our keys to
ATR and don't make any changes to our git repository?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
