Hi, On Tue, May 8, 2018 at 10:29 AM, Robert Munteanu <romb...@apache.org> wrote: > ...Note that this way of distributing the GPG keys is not set in stone, > just the compromise that we arrived at. If you think this can be improv > ed, all suggestions are welcome...
In general discussions about ASF releases (can't find the links right now) some people argued that https://www.apache.org/dist/sling/KEYS is a better long-term source of keys than https://people.apache.org/keys/group/sling.asc as (I assume) the latter only has keys of current Sling committers. However our https://dist.apache.org/repos/dist/release/sling/.htaccess redirects the former to the latter, and I don't think we have ever removed people form the Sling committers roster so we should be fine. Anyway, as per https://www.apache.org/info/verification.html I think we should just make sure our keys are available on one or several public key servers so people can find them. IOW: I think we're fine, and it's good for people to add their keys to public key servers anyway. -Bertrand