The release is signed by a committer: http://www.apache.org/info/verification.html <http://www.apache.org/info/verification.html> To verify the key typically it can be posted on the apache domain: http://www.apache.org/dev/release-signing.html#keys-policy <http://www.apache.org/dev/release-signing.html#keys-policy>
> On Jan 8, 2016, at 9:58 AM, Chip Senkbeil <[email protected]> wrote: > > Currently, we do not publish any binaries to Maven Central. It would be > nice to take a look at doing this. There was an issue on Github to deal > with this. We can move the discussion here now. > > We need to refactor the project's org to org.apache and the artifacts to > toree-<MODULE_NAME> instead of just <MODULE_NAME>. E.g. the communication > module needs to be renamed toree-communication such that we don't publish > org.apache communication as the org and artifact. > > Also, a PGP key is needed for signing when publishing to Maven Central. Is > there a process in Apache for maintaining a common PGP key? Or is it that a > certain committer is a release manager as well and uses their PGP key? I've > got my own used previously for other projects, but don't know what policies > there are for this. Thinking of Apache Spark with Patrick Wendell during > releases.
