[ https://jira.codehaus.org/browse/MNGSITE-216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=359698#comment-359698 ]
Tibor Digana commented on MNGSITE-216: -------------------------------------- Yes, I agree definitely. The page http://maven.apache.org/developers/release/pmc-gpg-keys.html can freely point to a common page http://www.apache.org/dev/openpgp.html#generate-key having detailed instructions. This would simplify the maintenance. > Obsolete instructions in > http://maven.apache.org/developers/release/pmc-gpg-keys.html > ------------------------------------------------------------------------------------- > > Key: MNGSITE-216 > URL: https://jira.codehaus.org/browse/MNGSITE-216 > Project: Maven Project Web Site > Issue Type: Bug > Environment: GnuPG > Reporter: Tibor Digana > Priority: Critical > > Me as a new Committer had to register public GnuPG key. Few parts of this > documentation were not maintained as it seems. > http://maven.apache.org/developers/release/pmc-gpg-keys.html > The DSA algorithm is nowadays considered not secure enough. Therefore RSA > should be chosen: > {noformat}(1) DSA and Elgamal (default) > Your selection? 1 > DSA keypair will have 1024 bits.{noformat} > DSA Key size is nowadays too short even for RSA and should be 4096: > {noformat}What keysize do you want? (2048) 2048 > Requested keysize is 2048 bits{noformat} > Password was not entered. Here we have different opinions. From my PoV no > password might be ok for signature verification. The Committers use to keep > their keys in .gpg folder on their private laptops and they do not distribute > them in CI systems. > {noformat}You need a Passphrase to protect your secret key. > You don't want a passphrase - this is probably a *bad* idea! > I will do it anyway. You can change your passphrase at any time, > using this program with the option "--edit-key".{noformat} -- This message was sent by Atlassian JIRA (v6.1.6#6162)