incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Williams <>
Subject Re: KEYS and keys
Date Thu, 05 Sep 2013 12:55:55 GMT
On Wed, Sep 4, 2013 at 7:18 PM, sebb <> wrote:
> On 4 September 2013 02:31, Tim Williams <> wrote:
>> I notice that Chris just pointed[1] spark to the nifty keys
>> listing[1].  Our docs still imply manual maintenance of the typical
>> KEYS file[2].  Honestly, I didn't even know the ldap-driven one was
>> around.  I assume its fair for projects to just point to the
>> p.a.o/keys/groups/${project}.asc file nowadays vs. copying that over
>> periodically to KEYS?
> The KEYS file has historically been manually maintained.
> As new keys are used for signing releases, they are added to the file.
> However entries should not be deleted if they have ever been used to
> sign a release, otherwise it may not be possible to check the sigs of
> archived artifacts.
> LDAP does not have all historic keys, or even all historic RMs.
> So replacing the KEYS file with a copy from LDAP may lose keys needed
> for validating archived files.
> Directing users to the p.a.o/keys/groups/${project}.asc files should
> work for current releases.
> But even that has an problem - if the RM leaves a project whilst the
> release is still current, the project.asc file will no longer contain
> the RM's key
> The problem is even worse for older releases.
> People may create new keys and drop old ones which have been used for signing.
> People leave a project or the ASF and the LDAP entry is changed.
> I don't think the LDAP keys are really suitable for use as a KEYS file
> at present.

Great points, makes total sense, thanks for the clarification sebb!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message