Adam - Thank you so much!! Will buy you coffee and a paper cup.
James On Tue, Mar 4, 2025 at 1:05 PM Adam Monsen <[email protected]> wrote: > > I humbly submit for your consideration this patch to improve the KEYS file. > Please review and help apply it against dev/fineract/KEYS at r75241 from > https://dist.apache.org/repos/dist , and/or help me perfect it. > > I say "dev KEYS file" because we currently have two out of sync files with > committer keys. This has been the case for quite a while now, even before we > added a newline yesterday to fix James's public key in "dev" (svn r75241). > That's why my patch from yesterday looked so odd (one key missing)... I was > working against the release KEYS file and assumed it was the same as the dev > KEYS file. Here are the two files: > > dev: https://dist.apache.org/repos/dist/dev/fineract/KEYS > release: https://dist.apache.org/repos/dist/release/fineract/KEYS > > The first one has a key from Manoj Mohanan (id: 0xB87CFCD0AE2E7E6F), the > second does not. Please advise... should the key be included? Anyway, that > explains why my earlier patch "deleted" Manoj's key. > > Regardless of the Manoj key issue, the attached patch may be applied to > document each individual key and add explanatory text to the top of the file > following guidance from > https://infra.apache.org/release-signing.html#keys-policy . I reckon it'll be > useful. 😉 > > Assuming we move forward and apply that patch, I'll then suggest simply > copying the resulting KEYS file to release/fineract/KEYS. These should be > kept in sync to make our lives simpler. And before you rightly ask why both > exist: This is per https://infra.apache.org/release-signing.html#keys-policy > (they are expected to match detached signatures found in sub-directories) > > 📣 Here's another shameless plug for keysigning parties and the web of trust. > Both are truly elegant and empowering ways to, paradoxically, not have to > trust what you find on one or other download page, rather, to leverage > personal human connections and the strongest encryption we have at our > disposal to provide strong assurances of data integrity and sender intent. > > 🔐 improve-keys-v2.patch.asc is a detached signature I created with gpg > --detach-sign improve-keys-v2.patch . If you have my key you can verify my > patch with, for example: gpg --verify improve-keys-v2.patch.asc (assuming > both files are in the same folder).
