incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Code signing and WOT for releases
Date Tue, 26 Jul 2016 07:48:04 GMT
On 26/07/2016 08:19, Thorsten Schöning wrote:
> Hi all,
> the docs about release management for incubating projects make clear
> that the release needs to be signed[1] and in the end associated with
> the project AND the WOT of Apache in general[2].
> Is there some way to check what the owner of a PGP key for former
> releases has done to get his association to the WOT, if any? I would
> like to understand the needed process better and e.g. found the
> following:
> Are all those people/keys on this list someone who signed the key I
> searched for and provided association with the WOT this way?


> Are the mentioned possibilities in [2] the only way to get such an
> association to the WOT? I usually don't visit conferences or
> keysigning parties or such.

It depends on what the signer is prepared to accept as proof of
identity. In most cases, a face to face meeting is required.

> Am I correct that releases can't be published without such an
> association to the WOT at all and BEFOREHAND?


The release manager's key MUST be added to the project's KEY file
*before* signing the release.

The release manager MUST upload their key to a public key server (e.g. *before* signing the release

Releases MUST be signed.

The release manager SHOULD add their key to their profile on

The release manager SHOULD add their key to the ASF WoT at the earliest
opportunity. If you don't visit conferences then one option is to use
[3] to find a nearby committer who might be able to sign your key.



> Else one could sign and
> publish a release and loose the key afterwards or else and the release
> would be left without the needed association.
> Thanks!
> [1]:
> [2]:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message