On Mon, Mar 20, 2017 at 5:30 AM, Steve Loughran <ste...@hortonworks.com> wrote:
> > On 15 Mar 2017, at 21:06, Eric Badger <ebad...@yahoo-inc.com> wrote: > > Verified signatures > - Minor note: Junping, I had a hard time finding your key. I grabbed the > keys for hadoop from > http://home.apache.org/keys/group/hadoop.asc and you had a key there, but > it wasn't the one that you signed this commit with. Then with some help > from Jason I found the correct key at > https://dist.apache.org/repos/dist/release/hadoop/common/KEYS. So it > would be nice if those were in sync. > Compiled from source > Deployed pseudo-distributed cluster > Ran some sample MR jobs > > > > we need to do more key signing; the stuff in the various KEYS files have > aged > > Alll ASF Committers can publish their ASF keys: > > https://people.apache.org/keys/committer/ > > which you can retrieve on a committer-by-committer basis : > > junping https://people.apache.org/keys/committer/junping_du.asc > me: https://people.apache.org/keys/committer/stevel.asc > > Committers should log in to https://id.apache.org/ and set them. > > Maybe that committer page should just be declared as the reference place > to find keys; It bootstraps off the ASF HTTPS certificate for trusted D/L, > and relies on login credentials being kept secure. But if not, well, people > can publish code under your login, so signing is the least concern. > > Hi Steve, I said this in a previous email in this thread, but per INFRA we're not to rely on the keys set on id.apache.org for release verification. Keys need to be added to the dist KEYS file. Best, Andrew
