https://bz.apache.org/bugzilla/show_bug.cgi?id=65570
Bug ID: 65570
Summary: Shared KEYS files must contain keys for all relevant
release
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: dev@tomcat.apache.org
Reporter: s...@apache.org
Target Milestone: -----
The Wiki Release process page [1] says:
"svn checkout --depth immediates
https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/
and update the KEYS file there to be the same as the one used for release"
The KEYS file at that level is used for all 9.x releases, and must therefore
contain the keys used for all the releases.
Once a key used for a release has been added to a KEYS file, it should never be
removed. The process described above does not make that clear.
The process seems needlessly complicated.
Most other projects use a single KEYS file maintained at the project level:
https://dist.apache.org/repos/dist/release/tomcat/KEYS
When a new signing key is used for a release, add it to the file.
Job done.
N.B. this bug report also probably applies to the other Tomcat releases.
[1] https://cwiki.apache.org/confluence/display/TOMCAT/ReleaseProcess
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
