[ https://jira.codehaus.org/browse/MNGSITE-216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=359706#comment-359706 ]
Robert Scholte commented on MNGSITE-216: ---------------------------------------- http://cms.apache.org see also http://maven.apache.org/developers/website/index.html > Obsolete instructions in > http://maven.apache.org/developers/release/pmc-gpg-keys.html > ------------------------------------------------------------------------------------- > > Key: MNGSITE-216 > URL: https://jira.codehaus.org/browse/MNGSITE-216 > Project: Maven Project Web Site > Issue Type: Bug > Environment: GnuPG > Reporter: Tibor Digana > Assignee: Tibor Digana > Priority: Critical > > Me as a new Committer had to register public GnuPG key. Few parts of this > documentation were not maintained as it seems. > http://maven.apache.org/developers/release/pmc-gpg-keys.html > The DSA algorithm is nowadays considered not secure enough. Therefore RSA > should be chosen: > {noformat}(1) DSA and Elgamal (default) > Your selection? 1 > DSA keypair will have 1024 bits.{noformat} > DSA Key size is nowadays too short even for RSA and should be 4096: > {noformat}What keysize do you want? (2048) 2048 > Requested keysize is 2048 bits{noformat} > Password was not entered. Here we have different opinions. From my PoV no > password might be ok for signature verification. The Committers use to keep > their keys in .gpg folder on their private laptops and they do not distribute > them in CI systems. > {noformat}You need a Passphrase to protect your secret key. > You don't want a passphrase - this is probably a *bad* idea! > I will do it anyway. You can change your passphrase at any time, > using this program with the option "--edit-key".{noformat} -- This message was sent by Atlassian JIRA (v6.1.6#6162)