incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert burrell donkin" <>
Subject Re: Write-up on release signing/verification
Date Tue, 30 Jan 2007 13:18:20 GMT
On 1/30/07, Ted Husted <> wrote:
> If it's helpful, the notes we are using for the Struts 2 release under
> Maven are here:
> *
> They are very specific, mainly because I'm getting on in years, and if
> we don't have specific notes, I forget how to do things :)

cool :-)

the problem with creating specific notes for the apache site is that
they may contain stuff that some consider bad practice. for example, i
have major issues with the standard maven advice (which is to give the
passphrase in on the command line) and would consider -1 any attempt
to add that to the apache site. you *really* shouldn't be doing that
with any primary apache code signing key.

if you're going to use maven, i'd recommend dual signing: once with a
limited subkey and then adding a second secure key using the primary
code signing key store on removable media and signed from a live CD.

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message