Hi Andrew, here are some basic docs:
http://www.apache.org/dev/release-signing.html http://www.apache.org/dev/openpgp.html#update I could not find information on your specific question. At log4php we were curious recently about the same and decided to go with this: http://www.apache.org/dist/logging/log4php/KEYS But we made sure it would match this: https://people.apache.org/keys/group/logging-pmc.asc Basically my understanding is the one from people would be fine alone. There is some danger people would take the KEYS file from a mirror which is to my knowledge not possible from people. My 2 cents- hopefully somebody with more knowledge on that matter (infra) can add a note. Cheers On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips <[email protected]>wrote: > Hi all > > Apologies in advance if this is not the correct audience for this > question: what is the correct process now for publishing signing keys for > releases? jclouds currently has a KEYS file [1]; there is another > (different) file containing keys in the groups list [2] on people.apache, > and most individual committers *also* have their personal keys > automatically retrieved via people.apache (e.g. [3]). > > In an email thread on this topic Brian (McCallister) indicated that: > > Upon investigation, if release signing keys are published via >> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then >> we don't need a KEYS file and should remove it. >> >> -Brian >> > > In that case, I'd be grateful if you could give some guidance on what the > validity of the other approaches (KEYS file published somewhere or group > KEYS file) is, and what we should do with those files, if anything. > > Thanks! > > > Andrew > > [1] > http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS> > [2] > https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc> > [3] > https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > general-unsubscribe@incubator.**apache.org<[email protected]> > For additional commands, e-mail: > [email protected].**org<[email protected]> > > -- http://www.grobmeier.de https://www.timeandbill.de
