[
https://jira.codehaus.org/browse/MNGSITE-216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=359706#comment-359706
]
Robert Scholte commented on MNGSITE-216:
----------------------------------------
http://cms.apache.org see also
http://maven.apache.org/developers/website/index.html
> Obsolete instructions in
> http://maven.apache.org/developers/release/pmc-gpg-keys.html
> -------------------------------------------------------------------------------------
>
> Key: MNGSITE-216
> URL: https://jira.codehaus.org/browse/MNGSITE-216
> Project: Maven Project Web Site
> Issue Type: Bug
> Environment: GnuPG
> Reporter: Tibor Digana
> Assignee: Tibor Digana
> Priority: Critical
>
> Me as a new Committer had to register public GnuPG key. Few parts of this
> documentation were not maintained as it seems.
> http://maven.apache.org/developers/release/pmc-gpg-keys.html
> The DSA algorithm is nowadays considered not secure enough. Therefore RSA
> should be chosen:
> {noformat}(1) DSA and Elgamal (default)
> Your selection? 1
> DSA keypair will have 1024 bits.{noformat}
> DSA Key size is nowadays too short even for RSA and should be 4096:
> {noformat}What keysize do you want? (2048) 2048
> Requested keysize is 2048 bits{noformat}
> Password was not entered. Here we have different opinions. From my PoV no
> password might be ok for signature verification. The Committers use to keep
> their keys in .gpg folder on their private laptops and they do not distribute
> them in CI systems.
> {noformat}You need a Passphrase to protect your secret key.
> You don't want a passphrase - this is probably a *bad* idea!
> I will do it anyway. You can change your passphrase at any time,
> using this program with the option "--edit-key".{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
