[
https://issues.apache.org/jira/browse/DMAP-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14092706#comment-14092706
]
Sebb edited comment on DMAP-83 at 8/11/14 11:59 AM:
----------------------------------------------------
bq. someone will just need to redo the above copy when keys change.
No, a copy won't work in general. There needs to be a merge.
The file at [1] contains the current keys for the current project members.
However the file at [2] must contain all the keys that were ever used to sign a
release, as it is needed to verify historic releases from the archive server.
If an RM changes their key, then AIUI [1] will only contain the new key, but
the old key may have been used to sign a release (which may even still be
current).
If an RM leaves the LDAP group for any reason, then [1] will no longer contain
their key (e.g. joes and crossley left the IPMC and are no longer in the
incubator-pmc.asc file).
So although the file at [1] may be used as a source for updating the KEYS file
at [2], it cannot be regarded as the canonical source for the KEYS file, as it
is not guaranteed to contain the required historical entries.
was (Author: [email protected]):
bq. someone will just need to redo the above copy when keys change.
No, a copy won't work in general. There needs to be a merge.
The file at [1] contains the current keys for the current project members.
However the file at [2] must contain all the keys that were ever used to sign a
release, as it is needed to verify historic releases from the archive server.
If an RM changes their key, then AIUI [1] will only contain the new key, but
the old key may have been used to sign a release (which may even still be
current).
If an RM leaves the LDAP group for any reason, then [1] will no longer contain
their key (e.g. joes and crossley left the IPMC and are no longer in the
incubator-pmc.asc file).
So although the file at [1] may be used as a source for updating the KEYS file
at [2], it cannot be regarded as the canonical source for the KEYS file, as it
does not guaranteed to contain the required historical entries.
> Provide KEYS file under the dist area
> -------------------------------------
>
> Key: DMAP-83
> URL: https://issues.apache.org/jira/browse/DMAP-83
> Project: DeviceMap
> Issue Type: Task
> Reporter: Sebb
> Assignee: Bertrand Delacretaz
>
> The KEYS file is currently linked from
> [1] https://people.apache.org/keys/group/devicemap.asc
> This is not the standard location, which is
> [2] https://dist.apache.org/repos/dist/release/incubator/devicemap/KEYS
> i.e. at the top level above the releases, sigs and hashes.
> Please can you set up a KEYS file at [2]; this can start out as a copy of [1]
> Note that entries in the KEYS file that have ever been used to sign releases
> should not be removed otherwise users won't be able to verify archived
> downloads.
> Also it helps if the KEYS file has details of how to update it, for example
> see:
> https://dist.apache.org/repos/dist/release/ant/KEYS
--
This message was sent by Atlassian JIRA
(v6.2#6252)
