On Sun, Sep 13, 2009 at 7:38 PM, Francis De Brabandere <franci...@gmail.com> wrote: > I added myself a while ago to the keys in our > repo/trunk/tools/KEYS.txt. Should we move that file to trunk and > publish it in the dist?
I would say so. The advantage of having the KEYS file also in the /dist/ is that it'll be close to where its used. The advantage of SVN, well that should be obvious :) > also from here: > http://incubator.apache.org/guides/releasemanagement.html#distribution-checksums-sigs > "that the KEYS file contains the public key. (Storing public keys in a > KEYS file is recommended but is not policy.)" > further my public key is available here: > http://pgp.mit.edu:11371/pks/lookup?search=francisdb Yeah, publishing a KEYS file by itself does not really provide the end user with much additional guarantee beyond a SHA1 hash of the file (which is why imagine KEYS files are not policy). The thing that matters much more is linking up to the apache web of trust: http://www.apache.org/dev/release-signing.html#web-of-trust For similar reasons it is also good if multiple people sign releases - more trust :) cheers, - Leo (who in java land already considers it a "win" these days when people opt out of auto-downloading from ibiblio.org, so personally no longer bothers with GPG) --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org