Hi; As you have already know that KEYS file contains public keys of committers. But I learned that it must contain Apache specific e-mail address instead of containing "gmail or yahoo" specific addresses. It proves that artifacts are signed by the Apache Committer.
Mark, could you update KEYS file in regard to above concern?
Thanks;
--Gurkan
