On Nov 22, 2009, at 5:27 PM, Uwe Schindler wrote:
We created new keys during the key-signing on ApacheCon and lot's of
committers upgraded to 4096. Mine is new and 4096 bit and also
simonw and
rmuir got new ones (now appearing in KEYS file).
Grant *replaced* his key in the KEYS file, but if Grant signed an
older
release on the Apache mirrors, it cannot be verified.
My key should contain both my old one and my new one, so it should
still be all right. Also, the KEYS file is versioned, so someone can
just get the rev from back then. KEYS should be packaged in the
release, if they aren't already..
Should I revert the replacement and add the old and new pub key of
Grant
again before I publish the file? See also the code signing docs of
Apache,
there you find the hint "...keep all former keys available, even if
you get
new keys..."
-1
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: java-dev-h...@lucene.apache.org
