@Christian The other advantage of the people list is that it is automatically updated from the federation of PGP key servers so it reflects the latest "web of trust" and also, I presume, any revocation.
In some cases, PMC wide is a bit too generous though. I think the release manager's Apache ID is better, using <https://people.apache.org/keys/<id>.asc>. This is probably more confidence-inspiring that the web of trust itself for those who do not participate in Apache projects and don't know who those folks who've counter-signed the certificate happen to be. In that case, the lock to an ASF committer is valuable. (It is unfortunate that committers and especially release managers are often not visible by their <id>@apache.org, thus providing even more confidence in the connection for observers.) - Dennis PS: I notice I just did the thing I'm complaining about. But I don't think orcmid@ a.o is subscribed to this list [;<). -----Original Message----- From: Christian Grobmeier [mailto:[email protected]] Sent: Sunday, June 2, 2013 01:24 AM To: [email protected] Subject: Re: Correct process for signing keys? Hi Andrew, here are some basic docs: http://www.apache.org/dev/release-signing.html http://www.apache.org/dev/openpgp.html#update I could not find information on your specific question. At log4php we were curious recently about the same and decided to go with this: http://www.apache.org/dist/logging/log4php/KEYS But we made sure it would match this: https://people.apache.org/keys/group/logging-pmc.asc Basically my understanding is the one from people would be fine alone. There is some danger people would take the KEYS file from a mirror which is to my knowledge not possible from people. My 2 cents- hopefully somebody with more knowledge on that matter (infra) can add a note. Cheers On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips <[email protected]>wrote: > Hi all > > Apologies in advance if this is not the correct audience for this > question: what is the correct process now for publishing signing keys for > releases? jclouds currently has a KEYS file [1]; there is another > (different) file containing keys in the groups list [2] on people.apache, > and most individual committers *also* have their personal keys > automatically retrieved via people.apache (e.g. [3]). > > In an email thread on this topic Brian (McCallister) indicated that: > > Upon investigation, if release signing keys are published via >> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then >> we don't need a KEYS file and should remove it. >> >> -Brian >> > > In that case, I'd be grateful if you could give some guidance on what the > validity of the other approaches (KEYS file published somewhere or group > KEYS file) is, and what we should do with those files, if anything. > > Thanks! > > > Andrew > > [1] > http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS> > [2] > https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc> > [3] > https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > general-unsubscribe@incubator.**apache.org<[email protected]> > For additional commands, e-mail: > [email protected].**org<[email protected]> > > -- http://www.grobmeier.de https://www.timeandbill.de --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
