On Thu, Sep 3, 2015 at 12:17 PM, P. Taylor Goetz <[email protected]> wrote:
> Notes:
> * The key used to sign the release has not been by signed by anyone else
> @apache.org, so is not in the Apache web of trust [1]. I’d encourage Kylin
> release manager(s) to exchange public keys with others in the Apache
> community.
+1, but anybody who reviews the release also has the option of signing it
themselves -- and if any of the other signers are linked into the web of
trust, problem solved.
http://www.apache.org/dev/release#what-must-every-release-contain
Folks who vote +1 for release may offer their own cryptographic signature
to be concatenated with the detached signature file (at the Release
Manager's discretion) prior to release.
Here's an example from the Subversion folks:
http://archive.apache.org/dist/subversion/subversion-1.9.1.tar.gz.asc
They handle the mechanics by appending their sig to the local .asc file and
then committing to the release candidate dir on dist.apache.org.
I've occasionally thought that this would be a nice (optional) custom for the
Incubator to adopt, because we often have Release Managers who are not yet
tied into the web of trust and because it presents an opportunity to impart
knowledge during the release thread.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
