Thanks Jukka. I had thought we were supposed to ship the KEYS file next to all release bits.
As far as I can tell Lucene and Tika have done this for their past releases, eg: http://www.eng.lsu.edu/mirrors/apache/tika and http://apache.mesi.com.ar/lucene/java/4.0.0 But it sounds like this is actually bad practice and we should stop doing so? Mike McCandless http://blog.mikemccandless.com On Mon, Jan 21, 2013 at 1:11 AM, Jukka Zitting <jukka.zitt...@gmail.com> wrote: > Hi, > > On Sun, Jan 20, 2013 at 11:24 PM, Mattmann, Chris A (388J) > <chris.a.mattm...@jpl.nasa.gov> wrote: >> +1 to that -- Dave feel free to simply copy the one out of dist into the >> RC dir -- or whomever does the next release feel free to include the KEYS. > > There's no particular need for the KEYS file to be included in the RC, > particularly inside the release package (shipping the key along with > the signed package is kind of bad practice). One could simply update > the KEYS file directly in http://www.apache.org/dist/tika/KEYS and > upload it to a key server [1]. It's also a good idea to add the key > fingerprint to https://id.apache.org/. > > Another thing that came to my mind is migration from > /www/www.apache.org/dist/tika on people.apache.org to svnpubsub-based > release distribution [2]. AFAIUI infra wants to get all projects > migrated to svnpubsub, so I think we should look at doing that shortly > after 1.3 is out. I can volunteer to take care of this as I've already > done it for Jackrabbit. > > [1] http://www.apache.org/dev/release-signing.html#keyserver > [2] http://www.apache.org/dev/release-publishing.html#distribution_dist > > BR, > > Jukka Zitting