On 21-Feb-09, at 3:05 PM, Robert Burrell Donkin wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jason's recently posted
(http://mail-archives.apache.org/mod_mbox/incubator-general/200902.mbox/%[email protected]%3e
)
a warning about tightening up release verification. i think that this
is generally a good thing. i sounds like it might cause me some
problems, though.
my code signing keys were used to sign the older apache releases as
part of the switch to mirroring. i'm not the most prolific release
manager but i have cut quite a few through the years. so i take
security seriously and don't store my code signing keys on a machine
connected to the internet.
the current release plugin is really a big improvement over the old
days. when cutting maven releases, i can now sign using a local-only
key and deploy to a local repository. i then copy the releases and
sign on the secure box. finally, i deploy the releases by hand.
this is now looking like it's going to become less feasible. so, i was
wondering about the best option for future releases.
If you create a set of binaries that have checksums and are signed it
doesn't much matter how you produced the release. I mentioned the Ant
tasks or using Maven itself as that's generally a good way to make a
release. We'll probably make something with Mercury to provide
something comprehensive that can be used from Ant or something you
want to make yourself.
i'm comfortable storing a (probably time limited) sub-key on the
release machine (i do something similar for email). the only
disadvantage is that support for sub-keys is not uniformly good. i
suppose that i could resign after down loading.
alternatively, perhaps i'm not the only committer to store code
signing keys on a secure machine, and it might be feasible to add some
level of lifecycle support for this.
- - robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: http://getfiregpg.org
iEYEARECAAYFAkmgXcYACgkQQ617goCdfgMDQQCeLrXswldSzVpIAS81/NbA92PK
A3YAniA82gi3Td+IpQLgg8Ln1nVynSLg
=sEBz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
http://twitter.com/jvanzyl
----------------------------------------------------------
Three may keep a secret if two of them are dead.
-- Benjamin Franklin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
