Hi, +1 for every release manager to have his own key. Though I think that there should be an "XWiki.org" key that is kept only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is also trusted by XWiki.org. -Fabio On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle <[email protected]> wrote: > > > On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote: >> On 08/15/2011 11:19 AM, Vincent Massol wrote: >>> Hi, >>> >>> I think we should start signing our artifacts using PGP as explained here: >>> https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven >>> >>> Here's my +1 >> >> +1. >> >> Do we use only one key, installed on the release machine? It should be >> protected by a strong passphrase. > > +1 > I really don't like the "one key on the release box" idea. > IMO each release manager should sign with their key which ofc never leaves > their own computer. > > Caleb > >> >>> >>> Thanks >>> -Vincent >>> >>> PS: I we agree I can commit the changes required to our top level POM to >>> implement this (I have them locally already) >> >> PS2: When's the release user ready on one of the new agents? >> > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
