Great! I'll keep an eye out so we can propose stealing what you come up with for xml.apache.org as well... 8-)
Suggestions/comments/questions: -- Focus on overall how-to steps for the release process and signing 'public' distribution units; I can volunteer to do QA on any instructions you come up with. -- The dev.apache.org stuff is a good start, but very C and Unix-centric. Plus very terse; hopefully over time we can come up with a friendlier version. -- PGP or GPG or either? (I'm pretty sure those are the two real contenders). In theory they're compatible with each other somehow, but I've never been able to get it to work. I prefer PGP since I like having the flashy GUI in 6.x/7.x versions, but I could understand someone philosophically or whatever wanting to use GPG. As long as we provide basic instructions for someone to verify a distro, either should be fine. -- As noted, a release signer's key must be in the KEYS file that was previously checked in and gets stuck inside the distro. We should also suggest that release signers consider posting public keys to well-known keyservers when possible. -- Key management: We hashed this out on general@xml a while back (and I'm sure other places): realistically, I think the only practical thing is to have individual commiters use their own personal keys for signing, and have each project manage their own keys. Given how the ASF works, I don't think we're going to have 'official' ASF master keys anytime soon. If there were a site-wide KEYS file in CVS that projects could *choose* to use instead, that would be fine too. -- Key signing: Since we're having individual committers sign releases, we should encourage folks to sign each other's keys. This way, when a user tries to verify a release versus the .sig, even if they don't know the individual who signed the distro, they might know someone else who signed their key, establishing at least some level of trust. You should remember to allow your signature of someone else's public key to be exportable too. I've tried to cross-sign keys in xml-land; if there are jakartaites who know me, I'd be happy to do the same here. -- Separate out any discussion of signing .jar files. Actually using Java's jar signing abilities is both more complex and has a variety of technical code issues that each project will probably have to consider separately from signing the distros. - Shane ---- you Stefan Bodewig <[EMAIL PROTECTED]> wrote ---- > Ted Husted <[EMAIL PROTECTED]> wrote: > > then I was volunteering to draft the general Release HOWTO, and > > asking if anyone had any existing documentation about this that they > > wanted to share. > I'd start with this one <http://dev.apache.org/how-to-release.html>. > Stefan ===== <eof aka="mailto:[EMAIL PROTECTED]"; .sig="2002 The palindromic year 2002"/> __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
