incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Champeau <>
Subject Re: Robot vs. personal KEYS for signing releases
Date Tue, 09 Jun 2015 10:13:59 GMT
2015-06-08 17:41 GMT+02:00 David Nalley <>:

> On Mon, Jun 8, 2015 at 9:40 AM, Cédric Champeau
> <> wrote:
> > We are not using the Apache CI servers for that but our own CI server.
> > you should make a difference between building and checking. Building
> should
> > be automated as much as possible. Checking the release is a human job.
> > There are lots of reasons why we stopped releasing from a local computer
> > years ago.
> Who has access to the keys? How are they secured, and what's the plan
> for going forward with that? (and this should all be documented) I ask
> this because I know of more than one project that has had a
> 'centralized key' to sign with; but which the PMC didn't control; and
> that eventually caused problems when the person with access to the key
> disappeared from the community.

The key is on the CI server. All PMC members have access to it. It is also
on Bintray. I have signed the key too.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message