On Wed, Sep 4, 2013 at 7:18 PM, sebb <seb...@gmail.com> wrote:
> On 4 September 2013 02:31, Tim Williams <william...@gmail.com> wrote:
>> I notice that Chris just pointed[1] spark to the nifty keys
>> listing[1]. Our docs still imply manual maintenance of the typical
>> KEYS file[2]. Honestly, I didn't even know the ldap-driven one was
>> around. I assume its fair for projects to just point to the
>> p.a.o/keys/groups/${project}.asc file nowadays vs. copying that over
>> periodically to KEYS?
>
> The KEYS file has historically been manually maintained.
> As new keys are used for signing releases, they are added to the file.
> However entries should not be deleted if they have ever been used to
> sign a release, otherwise it may not be possible to check the sigs of
> archived artifacts.
>
> LDAP does not have all historic keys, or even all historic RMs.
>
> So replacing the KEYS file with a copy from LDAP may lose keys needed
> for validating archived files.
>
> Directing users to the p.a.o/keys/groups/${project}.asc files should
> work for current releases.
> But even that has an problem - if the RM leaves a project whilst the
> release is still current, the project.asc file will no longer contain
> the RM's key
>
> The problem is even worse for older releases.
> People may create new keys and drop old ones which have been used for signing.
> People leave a project or the ASF and the LDAP entry is changed.
>
> I don't think the LDAP keys are really suitable for use as a KEYS file
> at present.
Great points, makes total sense, thanks for the clarification sebb!
--tim
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
