On Fri, 19 Jun 2026 at 22:46, Christopher Schultz <[email protected]> wrote: > > Dave, > > On 6/19/26 2:42 PM, Dave Fisher wrote: > > We are close to rolling out the ATR Beta and were reviewing gaps > > with PMC’s that have more than one KEYS files in their distribution > > area. There are only a handful which are mostly PMCs that came out > > of umbrella projects. These mostly have a key file for each > > subproject. Tomcat goes further as you have a KEYS file for each > > Tomcat major version. > > > > Would Tomcat have a problem using ATR if this meant a single KEYS > > file for the whole PMC? > > I think we would be okay with a single KEYS file for the whole PMC. > While we have a large number of releases (~3 per month), our release > managers are fairly table so the file won't see a tremendous amount of > turnover for the foreseeable future.
A key should never be dropped from the KEYS file it has ever been used to sign a release. This is to ensure that signatures can be checked for archived releases. > > You can see how this will work at https://release-test.apache.org/ > > committees/tomcat > > It's not entirely clear to me where the current list of keys is coming > from. We have a KEYS file in the root of our main branch but that > doesn't seem to be what's there. Is the KEYS file for ATR assembled from > the PGP keys registered here for each release manager? > > https://release-test.apache.org/keys > > According to: > > > - https://release-test.apache.org/docs/promoting-to-release#the-keys- > > file > > ATR will use a file that tomcat doesn't currently maintain, plus some > other keys that look like they match what I asked about above. > > > - https://release-test.apache.org/docs/signing-artifacts#optional- > > steps > > > Please let us know so we can determine if we have more necessary > > work prior to Beta (or during beta). > > This doesn't seem onerous at all. Is it okay if we upload our keys to > ATR and don't make any changes to our git repository? > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
