> On 15 Mar 2017, at 21:06, Eric Badger <ebad...@yahoo-inc.com> wrote: > > Verified signatures > - Minor note: Junping, I had a hard time finding your key. I grabbed the > keys for hadoop from > http://home.apache.org/keys/group/hadoop.asc > <http://home.apache.org/keys/group/hadoop.asc> and you had a key there, but > it wasn't the one that you signed this commit with. Then with some help from > Jason I found the correct key at > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS > <https://dist.apache.org/repos/dist/release/hadoop/common/KEYS>. So it would > be nice if those were in sync. > Compiled from source > Deployed pseudo-distributed cluster > Ran some sample MR jobs
we need to do more key signing; the stuff in the various KEYS files have aged Alll ASF Committers can publish their ASF keys: https://people.apache.org/keys/committer/ <https://people.apache.org/keys/committer/> which you can retrieve on a committer-by-committer basis : junping https://people.apache.org/keys/committer/junping_du.asc <https://people.apache.org/keys/committer/junping_du.asc> me: https://people.apache.org/keys/committer/stevel.asc <https://people.apache.org/keys/committer/stevel.asc> Committers should log in to https://id.apache.org/ <https://id.apache.org/> and set them. Maybe that committer page should just be declared as the reference place to find keys; It bootstraps off the ASF HTTPS certificate for trusted D/L, and relies on login credentials being kept secure. But if not, well, people can publish code under your login, so signing is the least concern. -Steve
signature.asc
Description: Message signed with OpenPGP