Re: Storing PGP Key for Publishing packages

2018-10-17 Thread Pedro Larroy 
Do nightly artifacts need to be signed? For releases what you wrote and what 
Apache recommends makes total sense. Thus artifacts from cd can’t be signed 
manually.

Pedro

> On 17. Oct 2018, at 22:29, Naveen Swamy  wrote:
> 
> I am collaborating with Zach Kimberg and Qing to work on automatic (
> currently its very tedious and time consuming) publishing the MXNet-Scala
> maven package to Apache Snapshot repo(either as nightly or weekly), for
> publishing the package the artifacts need to be signed with a committer's
> key, however Zach found Apache seems to strictly advise against storing the
> PGP Keys, so I suggested to look at what Spark is doing and he found that
> they are releasing to Apache Snapshots as a nightly job so they got to be
> storing the credentials on the host.
> I am looking for advise from Mentors on how to proceed with this?
> 
> One option(not preferable) is to publish to a private Repo or an S3 bucket
> and only during the release and the keys continue to remain in the
> committers control.
> 
> -- Advise on PGP Key storage on Apache website--
> 
> 
> “It is recommended that you create a PGP key for your apache.org address
> now (or add that address to an existing key, if you have one). *DO NOT* create
> this key on any machine to which multiple users have access and *DO NOT*,
> ever, copy your private key to any other shared machine. Release managers
> need to take particular care of keys used to sign releases
> .“ (
> https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
> )
> 
> “Strictly speaking, releases must be *verified
> *
> on
> hardware owned and controlled by the committer. That means hardware the
> committer has physical possession and control of and exclusively full
> administrative/superuser access to. That's because only such hardware is
> qualified to hold a PGP private key, and the release should be verified on
> the machine the private key lives on or on a machine as trusted as that.” (
> https://www.apache.org/legal/release-policy.html#release-signing)
> 
> ---
> 
> 
> Thanks, Naveen

Storing PGP Key for Publishing packages

2018-10-17 Thread Naveen Swamy 
I am collaborating with Zach Kimberg and Qing to work on automatic (
currently its very tedious and time consuming) publishing the MXNet-Scala
maven package to Apache Snapshot repo(either as nightly or weekly), for
publishing the package the artifacts need to be signed with a committer's
key, however Zach found Apache seems to strictly advise against storing the
PGP Keys, so I suggested to look at what Spark is doing and he found that
they are releasing to Apache Snapshots as a nightly job so they got to be
storing the credentials on the host.
I am looking for advise from Mentors on how to proceed with this?

One option(not preferable) is to publish to a private Repo or an S3 bucket
and only during the release and the keys continue to remain in the
committers control.

-- Advise on PGP Key storage on Apache website--


“It is recommended that you create a PGP key for your apache.org address
now (or add that address to an existing key, if you have one). *DO NOT* create
this key on any machine to which multiple users have access and *DO NOT*,
ever, copy your private key to any other shared machine. Release managers
need to take particular care of keys used to sign releases
.“ (
https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys
)

“Strictly speaking, releases must be *verified
*
on
hardware owned and controlled by the committer. That means hardware the
committer has physical possession and control of and exclusively full
administrative/superuser access to. That's because only such hardware is
qualified to hold a PGP private key, and the release should be verified on
the machine the private key lives on or on a machine as trusted as that.” (
https://www.apache.org/legal/release-policy.html#release-signing)

 ---


Thanks, Naveen