lucenenet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Troy Howard <thowar...@gmail.com>
Subject Re: [Lucene.Net] Re: Signing Binary Releases
Date Tue, 22 Feb 2011 20:10:32 GMT
Stefan,

Thanks so much for the explanation. This is much clearer.

I found that we have an extant KEYS.TXT at:

https://svn.apache.org/repos/asf/incubator/lucene.net/site/download/KEYS.txt

Would it be acceptable to simply add to that file, or is this file in
the wrong location?

Thanks,
Troy


On Mon, Feb 21, 2011 at 9:38 PM, Stefan Bodewig <bodewig@apache.org> wrote:
> On 2011-02-21, Troy Howard wrote:
>
>> Stefan - You indicated that the Apache signing process is
>> straightforward and simple, but the documentation is kind of all over
>> the place.
>
> I've never read any of it ;-)
>
>> It discusses so many edge cases and different methods for doing this
>> that it's hard to know what the correct one is.  I might be missing
>> something. Do you mind breaking it down for me in a very simple step
>> by step manner?
>
> I'll try but skip over the details since they ultimately depend on the
> OpenPGP implementation you use.  The only implementations I have ever
> used were a self-compiled PGP 2.6.x more than ten years ago and several
> versions of GnuPG, all of them running on Linux - and I've never used
> any GUI of any kind.
>
> If anything I write below is unclear, please ask and I'll try to figure
> out the correct answer.  Maybe even by reading the ASF documentation.
>
> First of all you need an OpenPGP implementation.  I use GnuPG, you might
> prefer something graphical.
>
> Then you need a key pair.  This should be straight forward to create
> with your OpenPGP implementation.  It may be best to pick the defaults
> offered as algorithms and the longest key length your implementation
> offers.
>
> In retrospect it may have been a good idea if I had created my key in a
> way that it expired after ten years since the key length of my key will
> no longer be sufficient in a few years (if it still is today).  But then
> again I can simply create a new one and stop using the old one at one
> point in time.
>
> The next step is to publish the key.  There are key servers and
> publishing you key there is a command line option in GnuPG.  Most of the
> key servers have a web frontend where you can simply add your ASCII
> armored exported key as well.  For example <http://pgpkeys.mit.edu/>.
> The key servers automatically propagate keys from one server to the
> others so it is sufficient to publish to a single server.
>
> You should also create a file called KEYS and add it to Lucene.NET's svn
> area so all developers can add their keys to it.  This one will later be
> published in http://www.apache.org/dist/ as the authoritative source.
> For an example that also explains how to create the file see
> <http://svn.apache.org/repos/asf/ant/antlibs/common/trunk/KEYS>
>
> The most difficult part is getting your key signed by others.  There is
> no general rule.  You must try to find people who are willing to sign
> your key.  Most people will only do so if you meet F2F so try to contact
> ASF people living close to you.  All bigger ASF events have key signing
> parties just for this purpose.
>
> If your key isn't signed by anybody else you can certainly still sign
> the releases with it - users are just less likely to have chain of trust
> leading to your key.  In reality they likely won't have one anyway.
>
> Finally you create the distribution artifact the way you always did.
> Once done you create a detached signature for each of the distribution
> artifacts.  I.e. if you have foo-1.0-src.zip you sign it which creates
> foo-1.0-src.zip.asc.  You publish both of them side by side.  That is
> really all that needs to be done.
>
> On the download page the link to foo-1.0-src.zip will point to the ASF
> mirror system while the one to foo-1.0-src.zip.asc will always point to
> www.apache.org.
>
> Stefan
>

Mime
View raw message