On Wed, Sep 4, 2013 at 7:18 PM, sebb <seb...@gmail.com> wrote: > On 4 September 2013 02:31, Tim Williams <william...@gmail.com> wrote: >> I notice that Chris just pointed[1] spark to the nifty keys >> listing[1]. Our docs still imply manual maintenance of the typical >> KEYS file[2]. Honestly, I didn't even know the ldap-driven one was >> around. I assume its fair for projects to just point to the >> p.a.o/keys/groups/${project}.asc file nowadays vs. copying that over >> periodically to KEYS? > > The KEYS file has historically been manually maintained. > As new keys are used for signing releases, they are added to the file. > However entries should not be deleted if they have ever been used to > sign a release, otherwise it may not be possible to check the sigs of > archived artifacts. > > LDAP does not have all historic keys, or even all historic RMs. > > So replacing the KEYS file with a copy from LDAP may lose keys needed > for validating archived files. > > Directing users to the p.a.o/keys/groups/${project}.asc files should > work for current releases. > But even that has an problem - if the RM leaves a project whilst the > release is still current, the project.asc file will no longer contain > the RM's key > > The problem is even worse for older releases. > People may create new keys and drop old ones which have been used for signing. > People leave a project or the ASF and the LDAP entry is changed. > > I don't think the LDAP keys are really suitable for use as a KEYS file > at present.
Great points, makes total sense, thanks for the clarification sebb! --tim --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org