We created new keys during the key-signing on ApacheCon and lot's of committers upgraded to 4096. Mine is new and 4096 bit and also simonw and rmuir got new ones (now appearing in KEYS file).
Grant *replaced* his key in the KEYS file, but if Grant signed an older release on the Apache mirrors, it cannot be verified. Should I revert the replacement and add the old and new pub key of Grant again before I publish the file? See also the code signing docs of Apache, there you find the hint "...keep all former keys available, even if you get new keys..." Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
