I agree with Stefan, if someone isn't a release manager there's no reason to add them, and it just increases the surface area for potential attack or issue.
On Mon, Jan 7, 2019 at 11:35 AM Stefan Podkowinski <s...@apache.org> wrote: > I don't see any reason to have any keys in there, except from release > managers who are signing releases. Additional keys from other developers > may even harm security, by creating more opportunities for compromising > keys. > > On 07.01.19 11:29, Mick Semb Wever wrote: > > And when should it get updated? > > > > Currently our KEYS file: that contains the public keys of those that can > signed released binary artifacts; only contains a few of the PMC. My > understanding is that we've avoid updating it because it causes headache > for operators in having to validate the authenticity of a new key that's > signed a binary when upgrading. > > > > If this is accurate, how prevalent is this problem actually on > operators? Do some operators download the KEYS fresh from apache.org > every release? Are the keys of our PMCs already in the existing web of > trust? > > > > I'm not knowledgeable on the precedence here for operators, and curious > to what's the community's stance (and why)… And whether it is the time > right to add all/more our PMC to the file? And whether we should always add > new PMC to the file (if they're already in the web of trust?)? > > > > cheers, > > Mick > > > > https://www.apache.org/info/verification.html#Validating > > https://www.apache.org/dyn/closer.cgi#verify > > https://dist.apache.org/repos/dist/release/cassandra/KEYS > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > > -- Jon Haddad http://www.rustyrazorblade.com twitter: rustyrazorblade
