> On Nov 8, 2016, at 6:46 PM, Eric Friedrich (efriedri) <[email protected]> > wrote: > > Hey Dan- > I haven’t looked at the RPMs yet, but I think we also need to put up a > package for astats. > > A few other things: > - Package name should have “incubating” in it > - Need signatures directly on the release packages (i.e. 1 detached sig per > RPM/SRPM), see these: > https://www.apache.org/dev/release-publishing.html#valid > https://www.apache.org/dev/release-signing.html#basics > <https://www.apache.org/dev/release-signing.html#basics>
Yes, this is very important, you must have a GPG signature. Also, you should make sure it’s easy / possible to get the public key of the person that created these artifacts, ideally signed by other trusted people. See e.g. https://dist.apache.org/repos/dist/release/trafficserver/KEYS Cheers, — leif
