We're planning to encourage key signing during the hackathon week. To facilitate this, we'd like to collect all the key fingerprints in advance, in order to prepare and distribute a $spreadsheet with fingerprints to attendees.
At this point I'd like to suggest to collect the PGP keys in the tree. This is in line with ASF practice, allows for more easily verifying our releases' signatures, and makes collecting keys a once-and-for-all task. So, I propose that we recommend committers to add their then-current preferred PGP keys (used for key signing and release signing, feel free to add other keys if you want) to ^/subversion/site/keys/$username.asc . (Bikeshed: I'm going for site/keys/ for two reasons: it doesn't belong in trunk for the same reason trunk/www/ was moved out, and having it under site/ means we all have one less working copy to worry about.) If people don't like having the keys in svn, feel free to just send me the keys (or fingerprints thereof) that you'd like signed at the hackathon, that would address the immediate need. (In this case I'll also grab all keys used to sign any 1.6.x release.) Thanks, Daniel
