sbp commented on issue #227: URL: https://github.com/apache/tooling-trusted-releases/issues/227#issuecomment-3403245654
Resolved by b9de5d40ff0d430cae003d9e2d1f390430fea285. We consider an OpenPGP key in a PMC or PPMC's `KEYS` file to be an automated release key if its primary UID contains either `Automated Release Signing` or `Services RM`, and matches the glob `private@*.apache.org`. We were given a list of eight definitive automated release committees on 2 Sep 2025 as part of [INFRA-27164](https://issues.apache.org/jira/browse/INFRA-27164), and seven of those are represented by this identification technique, plus `kie` and `opendal`, who applied in [INFRA-25549](https://issues.apache.org/jira/browse/INFRA-25549) and [INFRA-24880](https://issues.apache.org/jira/browse/INFRA-24880) respectively and were not in the list that we received. Potentially they were not in the list because they applied for automated Jenkins and Maven builds, not GitHub builds; but because the application process appears to have identical criteria, and because their key format overlaps with committees in the list that we were provided, they are currently being allowed to mak e automated releases by ATR. The one committee on the 2 Sep 2025 list which we cannot detect is `manifoldcf`, who have not, as far as I can find, published their signing key in [their `KEYS` file](https://downloads.apache.org/manifoldcf/KEYS). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
