sbp commented on issue #242: URL: https://github.com/apache/tooling-trusted-releases/issues/242#issuecomment-3598593689
After the [earlier comment](https://github.com/apache/tooling-trusted-releases/issues/242#issuecomment-3539449683) on what defines the role of RM, we discussed requiring RMs in ATR to be approved by the PMC in some way. This could be via #326 style dual approval, or something else. Also, contrary to [the more recent comment above](https://github.com/apache/tooling-trusted-releases/issues/242#issuecomment-3598561004), "as long as PMC member signs and publishes the artifacts", the [ASF release policy](https://www.apache.org/legal/release-policy.html) says: > All supplied packages MUST be cryptographically signed with an ASCII-armored detached signature. They MUST be signed by either the Release Manager or the automated release infrastructure, where the underlying implementation MUST follow the principles [outlined](https://www.apache.org/dev/release-signing.html#automated-release-signing) by the Apache Security Team. [...] All release artifacts within the directory MUST be signed by a committer, preferably a PMC member. [...] Note that the PMC is responsible for all artifacts in their distribution directory, which is a subdirectory of downloads.apache.org ; and all artifacts placed in their directory must be signed by a committer, preferably by a PMC member. It's not clear how ATR should implement the "preferably". -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
