Re: Correct process for signing keys?
Hi Andrew, here are some basic docs: http://www.apache.org/dev/release-signing.html http://www.apache.org/dev/openpgp.html#update I could not find information on your specific question. At log4php we were curious recently about the same and decided to go with this: http://www.apache.org/dist/logging/log4php/KEYS But we made sure it would match this: https://people.apache.org/keys/group/logging-pmc.asc Basically my understanding is the one from people would be fine alone. There is some danger people would take the KEYS file from a mirror which is to my knowledge not possible from people. My 2 cents- hopefully somebody with more knowledge on that matter (infra) can add a note. Cheers On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips andr...@apache.orgwrote: Hi all Apologies in advance if this is not the correct audience for this question: what is the correct process now for publishing signing keys for releases? jclouds currently has a KEYS file [1]; there is another (different) file containing keys in the groups list [2] on people.apache, and most individual committers *also* have their personal keys automatically retrieved via people.apache (e.g. [3]). In an email thread on this topic Brian (McCallister) indicated that: Upon investigation, if release signing keys are published via https://people.apache.org/**keys/ https://people.apache.org/keys/ then we don't need a KEYS file and should remove it. -Brian In that case, I'd be grateful if you could give some guidance on what the validity of the other approaches (KEYS file published somewhere or group KEYS file) is, and what we should do with those files, if anything. Thanks! Andrew [1] http://www.apache.org/dist/**incubator/jclouds/KEYShttp://www.apache.org/dist/incubator/jclouds/KEYS [2] https://people.apache.org/**keys/group/jclouds.aschttps://people.apache.org/keys/group/jclouds.asc [3] https://people.apache.org/**keys/committer/andrewp.aschttps://people.apache.org/keys/committer/andrewp.asc --**--**- To unsubscribe, e-mail: general-unsubscribe@incubator.**apache.orggeneral-unsubscr...@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.**orggeneral-h...@incubator.apache.org -- http://www.grobmeier.de https://www.timeandbill.de
RE: Correct process for signing keys?
@Christian The other advantage of the people list is that it is automatically updated from the federation of PGP key servers so it reflects the latest web of trust and also, I presume, any revocation. In some cases, PMC wide is a bit too generous though. I think the release manager's Apache ID is better, using https://people.apache.org/keys/id.asc. This is probably more confidence-inspiring that the web of trust itself for those who do not participate in Apache projects and don't know who those folks who've counter-signed the certificate happen to be. In that case, the lock to an ASF committer is valuable. (It is unfortunate that committers and especially release managers are often not visible by their id@apache.org, thus providing even more confidence in the connection for observers.) - Dennis PS: I notice I just did the thing I'm complaining about. But I don't think orcmid@ a.o is subscribed to this list [;). -Original Message- From: Christian Grobmeier [mailto:grobme...@gmail.com] Sent: Sunday, June 2, 2013 01:24 AM To: general@incubator.apache.org Subject: Re: Correct process for signing keys? Hi Andrew, here are some basic docs: http://www.apache.org/dev/release-signing.html http://www.apache.org/dev/openpgp.html#update I could not find information on your specific question. At log4php we were curious recently about the same and decided to go with this: http://www.apache.org/dist/logging/log4php/KEYS But we made sure it would match this: https://people.apache.org/keys/group/logging-pmc.asc Basically my understanding is the one from people would be fine alone. There is some danger people would take the KEYS file from a mirror which is to my knowledge not possible from people. My 2 cents- hopefully somebody with more knowledge on that matter (infra) can add a note. Cheers On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips andr...@apache.orgwrote: Hi all Apologies in advance if this is not the correct audience for this question: what is the correct process now for publishing signing keys for releases? jclouds currently has a KEYS file [1]; there is another (different) file containing keys in the groups list [2] on people.apache, and most individual committers *also* have their personal keys automatically retrieved via people.apache (e.g. [3]). In an email thread on this topic Brian (McCallister) indicated that: Upon investigation, if release signing keys are published via https://people.apache.org/**keys/ https://people.apache.org/keys/ then we don't need a KEYS file and should remove it. -Brian In that case, I'd be grateful if you could give some guidance on what the validity of the other approaches (KEYS file published somewhere or group KEYS file) is, and what we should do with those files, if anything. Thanks! Andrew [1] http://www.apache.org/dist/**incubator/jclouds/KEYShttp://www.apache.org/dist/incubator/jclouds/KEYS [2] https://people.apache.org/**keys/group/jclouds.aschttps://people.apache.org/keys/group/jclouds.asc [3] https://people.apache.org/**keys/committer/andrewp.aschttps://people.apache.org/keys/committer/andrewp.asc --**--**- To unsubscribe, e-mail: general-unsubscribe@incubator.**apache.orggeneral-unsubscr...@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.**orggeneral-h...@incubator.apache.org -- http://www.grobmeier.de https://www.timeandbill.de - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: Correct process for signing keys?
Hi Christian, Dennis Thanks for your responses and the links provided. By the sounds of it we're all roughly in the same position: aware of the different options and not 100% certain which is the current correct one, or if indeed all options are equally valid. Unfortunately, the docs also do seem to clearly identify which, if any, of the options is preferred. @IPMC: would it be correct to infer that, at the present, time, a group or project KEYS file is fine but simply ensuring the release managers' keys are available from people.apache would be sufficient or, indeed, preferable? Thanks! ap -- Andrew Phillips jclouds - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Correct process for signing keys?
I think that the RM _must_ have a key, that the key must be part of a KEYS file in svn/git, and that it _should_ be uploaded into their Apache account, and it is more better if it is signed into the GWOT (global web of trust). - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: Correct process for signing keys?
Well, I've got the first three, and will bug coworkers in the GWOT to sign my key next week. =) A. On Sun, Jun 2, 2013 at 2:13 PM, Benson Margulies bimargul...@gmail.comwrote: I think that the RM _must_ have a key, that the key must be part of a KEYS file in svn/git, and that it _should_ be uploaded into their Apache account, and it is more better if it is signed into the GWOT (global web of trust). - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
