> On Jun 19, 2026, at 11:18 PM, sebb <[email protected]> wrote:
>
> On Fri, 19 Jun 2026 at 22:46, Christopher Schultz
> <[email protected]> wrote:
>>
>> Dave,
>>
>> On 6/19/26 2:42 PM, Dave Fisher wrote:
>>> We are close to rolling out the ATR Beta and were reviewing gaps
>>> with PMC’s that have more than one KEYS files in their distribution
>>> area. There are only a handful which are mostly PMCs that came out
>>> of umbrella projects. These mostly have a key file for each
>>> subproject. Tomcat goes further as you have a KEYS file for each
>>> Tomcat major version.
>>>
>>> Would Tomcat have a problem using ATR if this meant a single KEYS
>>> file for the whole PMC?
>>
>> I think we would be okay with a single KEYS file for the whole PMC.
>> While we have a large number of releases (~3 per month), our release
>> managers are fairly table so the file won't see a tremendous amount of
>> turnover for the foreseeable future.
>
> A key should never be dropped from the KEYS file it has ever been used
> to sign a release.
> This is to ensure that signatures can be checked for archived releases.
Please note that https://github.com/apache/tooling-trusted-releases/issues/180
is still on the development list, and we will do our best. If you can show
written policy that signatures from ALL archived artifacts MUST be preserved
bring that to the issue. I’m not so sure it’s important for 25 year old Tomcat
3 releases as excellent and cool as these were. These were my first ASF
downloads.
This discussion is assuring that there will now be a singular KEYS file in the
now canonical location.
Best,
Dave
>
>>> You can see how this will work at https://release-test.apache.org/
>>> committees/tomcat
>>
>> It's not entirely clear to me where the current list of keys is coming
>> from. We have a KEYS file in the root of our main branch but that
>> doesn't seem to be what's there. Is the KEYS file for ATR assembled from
>> the PGP keys registered here for each release manager?
>>
>> https://release-test.apache.org/keys
>>
>> According to:
>>
>>> - https://release-test.apache.org/docs/promoting-to-release#the-keys-
>>> file
>>
>> ATR will use a file that tomcat doesn't currently maintain, plus some
>> other keys that look like they match what I asked about above.
>>
>>> - https://release-test.apache.org/docs/signing-artifacts#optional-
>>> steps
>>
>>> Please let us know so we can determine if we have more necessary
>>> work prior to Beta (or during beta).
>>
>> This doesn't seem onerous at all. Is it okay if we upload our keys to
>> ATR and don't make any changes to our git repository?
>>
>> -chris
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
