I am collaborating with Zach Kimberg and Qing to work on automatic ( currently its very tedious and time consuming) publishing the MXNet-Scala maven package to Apache Snapshot repo(either as nightly or weekly), for publishing the package the artifacts need to be signed with a committer's key, however Zach found Apache seems to strictly advise against storing the PGP Keys, so I suggested to look at what Spark is doing and he found that they are releasing to Apache Snapshots as a nightly job so they got to be storing the credentials on the host. I am looking for advise from Mentors on how to proceed with this?
One option(not preferable) is to publish to a private Repo or an S3 bucket and only during the release and the keys continue to remain in the committers control. -- Advise on PGP Key storage on Apache website-- “It is recommended that you create a PGP key for your apache.org address now (or add that address to an existing key, if you have one). *DO NOT* create this key on any machine to which multiple users have access and *DO NOT*, ever, copy your private key to any other shared machine. Release managers need to take particular care of keys used to sign releases <https://www.apache.org/dev/release-signing.html#private-key-protection>.“ ( https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys ) “Strictly speaking, releases must be *verified <https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl>* on hardware owned and controlled by the committer. That means hardware the committer has physical possession and control of and exclusively full administrative/superuser access to. That's because only such hardware is qualified to hold a PGP private key, and the release should be verified on the machine the private key lives on or on a machine as trusted as that.” ( https://www.apache.org/legal/release-policy.html#release-signing) --- Thanks, Naveen