On Sat, May 11, 2013 at 4:38 PM, Andrew Phillips <[email protected]> wrote: > Dear Mentors > > Having just seen a related discussion go by on the incubator list: where > would be the recommended place to store the public key for verification of > the jclouds JARs? > > On the website? In the source repo? Elsewhere? > > Thanks! > > ap
Link to that discussion? I didn't see it in a brief perusal. IMO - it's a bad idea to have a project-level GPG key. I've seen other ASF-projects end up with the key misused, or held hostage. The KEYS file itself should be populated with GPG keys of the individuals in the project. The public key should live in the dist directory. See: https://dist.apache.org/repos/dist/release/cloudstack/KEYS https://dist.apache.org/repos/dist/release/maven/KEYS The release manager would sign releases/artifacts, etc with their own key, which ideally is well connected. --David
