On 08/16/2011 10:21 AM, Fabio Mancinelli wrote: > Hi, > > +1 for every release manager to have his own key. > Though I think that there should be an "XWiki.org" key that is kept > only by one person and that is used to sign the release managers keys. > > In this way artifacts will be marked as released by somebody that is > also trusted by XWiki.org.
Yes, that's what I was thinking as well last night. And the XWiki.org master key should be signed by a trusted authority. > -Fabio > > On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle > <[email protected]> wrote: >> >> >> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote: >>> On 08/15/2011 11:19 AM, Vincent Massol wrote: >>>> Hi, >>>> >>>> I think we should start signing our artifacts using PGP as explained here: >>>> https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven >>>> >>>> Here's my +1 >>> >>> +1. >>> >>> Do we use only one key, installed on the release machine? It should be >>> protected by a strong passphrase. >> >> +1 >> I really don't like the "one key on the release box" idea. >> IMO each release manager should sign with their key which ofc never leaves >> their own computer. >> >> Caleb >> >>> >>>> >>>> Thanks >>>> -Vincent >>>> >>>> PS: I we agree I can commit the changes required to our top level POM to >>>> implement this (I have them locally already) >>> >>> PS2: When's the release user ready on one of the new agents? >>> -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
