incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <>
Subject Re: Robot vs. personal KEYS for signing releases
Date Mon, 08 Jun 2015 15:41:36 GMT
On Mon, Jun 8, 2015 at 9:40 AM, C├ędric Champeau
<> wrote:
> We are not using the Apache CI servers for that but our own CI server. IMHO
> you should make a difference between building and checking. Building should
> be automated as much as possible. Checking the release is a human job.
> There are lots of reasons why we stopped releasing from a local computer
> years ago.

Who has access to the keys? How are they secured, and what's the plan
for going forward with that? (and this should all be documented) I ask
this because I know of more than one project that has had a
'centralized key' to sign with; but which the PMC didn't control; and
that eventually caused problems when the person with access to the key
disappeared from the community.

As Jake said, I personally wouldn't entrust keys to the ASF's general
purpose CI infrastructure, but I haven't seen anything that
immediately sets off klaxons in my head.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message