-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jason's recently posted (http://mail-archives.apache.org/mod_mbox/incubator-general/200902.mbox/%[email protected]%3e) a warning about tightening up release verification. i think that this is generally a good thing. i sounds like it might cause me some problems, though.
my code signing keys were used to sign the older apache releases as part of the switch to mirroring. i'm not the most prolific release manager but i have cut quite a few through the years. so i take security seriously and don't store my code signing keys on a machine connected to the internet. the current release plugin is really a big improvement over the old days. when cutting maven releases, i can now sign using a local-only key and deploy to a local repository. i then copy the releases and sign on the secure box. finally, i deploy the releases by hand. this is now looking like it's going to become less feasible. so, i was wondering about the best option for future releases. i'm comfortable storing a (probably time limited) sub-key on the release machine (i do something similar for email). the only disadvantage is that support for sub-keys is not uniformly good. i suppose that i could resign after down loading. alternatively, perhaps i'm not the only committer to store code signing keys on a secure machine, and it might be feasible to add some level of lifecycle support for this. - - robert -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: http://getfiregpg.org iEYEARECAAYFAkmgXcYACgkQQ617goCdfgMDQQCeLrXswldSzVpIAS81/NbA92PK A3YAniA82gi3Td+IpQLgg8Ln1nVynSLg =sEBz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
