I'm not sure where exactly this discussion should fit, but I know people have brought up questions about ASF-wide signing of artifacts before, so I'll just mention it on this list.
Fedora infrastructure has built a project called sigul: https://fedorahosted.org/sigul/ which they use as part of their infrastructure to automate signing of RPMs and ISOs and such. ASF could set up a similar service for ASF-wide release signing. This particular project looks like it has a GPL2 license on it, and I'm not sure what the policy is for Fedora infrastructure, but for Fedora packagers, contributions (under their ICLA) are MIT, so it's possible that if we wanted to use this, and provide ASF-wide release signing, the Fedora community would be willing to re-license under MIT if that were necessary for us to consider using it.
