incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C├ędric Champeau <cedric.champ...@gmail.com>
Subject Re: Robot vs. personal KEYS for signing releases
Date Mon, 08 Jun 2015 12:55:39 GMT
Well I guess the debate is because of Groovy and our use of robot keys, so
"should" vs "must". If it's a should, I think we're ok. The reason we use
robot signing is automation. We want to avoid as many human intervention in
the release process as possible. That is to say, in the end, the whole
release process should be automated, only checking the artifacts should be
human based. This is not possible if we involve individual signatures.
Basically, for Groovy, before joining Apache, we used to automate
everything but checking the artifacts. It worked pretty well so far... Of
course one option is to put our private keys into the CI server but ahem...
I don't really like the idea of having my private key in the wild.

2015-06-08 14:50 GMT+02:00 Jake Farrell <jfarrell@apache.org>:

> The release manager should use their individual key, details on signing and
> keys are available at [1]
>
> -Jake
>
> [1]: http://www.apache.org/dev/release-signing.html
>
> On Mon, Jun 8, 2015 at 2:59 AM, Roman Shaposhnik <rvs@apache.org> wrote:
>
> > Hi!
> >
> > my recollection is that the collective opinion
> > was to discourage the use of KEYS of robots
> > for signing the releases and prefer individuals
> > do that with their keys.
> >
> > I remember a thread to that effect, but I cant
> > google it. Am I misremembering?
> >
> > Thanks,
> > Roman.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message