the documentation revisions seem just about ready now. http://www.apache.org/dev/release-signing.html has been substantially revised and new pages add at http://www.apache.org/dev/openpgp.html and http://www.apache.org/dev/key-transition.html. i think most of the content needed is now ready though i'm sure more improvements will continue.
i would like to road test the instructions and documentation by starting small and then rolling out to bigger groups. so, i'd like to ask for early adopters to volunteer now to follow the appropriate set of instructions. next will be members then all committers. we really need all committers to have done this before the keysigning at ApacheConUS so i think we need to get this moving now. i've attached a first draft of the instructional mail below feedback, please :-) and volunteers :-) - robert --8<-------------------------------------------------------------------- Recent research has revealed weaknesses in SHA-1, and thus in the DSA and 1024 bit RSA OpenPGP keys which must use this algorithm. Though no realistic attacks have been made public, experience with similar weaknesses in MD5 suggests that further advances may well lead to practical attacks within the next few years. This accords with current NIST guidance on DSA. The future impact of this weakness on Apache can be mitigated by action now. What needs to be done is a little involved. So, complete instructions have been prepared. Please read and follow them. * Committers with a DSA key or an RSA key of length less than 2048 bits should generate a new key for signing releases. The original key does not need to be revoked yet. Follow the instructions at http://www.apache.org/dev/key-transition.html. * Committers with RSA keys of length 2048 or more do not need to generate a new key yet. They should reconfigure their client to avoid the weakness by following the instructions at http://www.apache.org/dev/openpgp.html#sha1 and wait for the next major OpenPGP revision. * Revised instructions for committers when they need to generate their first key are available at http://www.apache.org/dev/openpgp.html#generate-key For more details, see the revised release signing FAQ (http://www.apache.org/dev/release-signing.html). Please subscribe to the community list and ask questions there. Feedback is welcomed and should be posted to the community list. Robert ------------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org
