[jira] [Commented] (COMDEV-400) Drop project keys files
[ https://issues.apache.org/jira/browse/COMDEV-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286416#comment-17286416 ] Sebb commented on COMDEV-400: - > Do those individual keys remain available for ASF accounts that are disabled > or removed later? Not as far as I know > Once someone has signed a release I think their keys should remain available > for ever. Agreed, which is one reason why the project keys files are not useful. > Drop project keys files > --- > > Key: COMDEV-400 > URL: https://issues.apache.org/jira/browse/COMDEV-400 > Project: Community Development > Issue Type: Bug > Components: Comdev, PhoneBook, Website > Environment: https://people.apache.org/keys/group/ >Reporter: Sebb >Priority: Major > > The project keys files should be dropped. > On the face of it the project keys files could be useful, however that is not > the case in practise. This is because: > * not all release signers are members of the project group > * release signing keys need to be kept even after a project goes to the attic > or the signer leaves the pmc group. > Leaving the project keys files around has may result it inappropriate usage > (as it has previously). > [Note that the individual keys are still available.] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
[jira] [Commented] (COMDEV-400) Drop project keys files
[ https://issues.apache.org/jira/browse/COMDEV-400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286412#comment-17286412 ] Bertrand Delacretaz commented on COMDEV-400: > ...Note that the individual keys are still available... Do those individual keys remain available for ASF accounts that are disabled or removed later? Once someone has signed a release I think their keys should remain available for ever. https://www.apache.org/info/verification says "You may download public keys for the Apache project developers from our website", that might need to be updated to mention which is the canonical location for those keys. > Drop project keys files > --- > > Key: COMDEV-400 > URL: https://issues.apache.org/jira/browse/COMDEV-400 > Project: Community Development > Issue Type: Bug > Components: Comdev, PhoneBook, Website > Environment: https://people.apache.org/keys/group/ >Reporter: Sebb >Priority: Major > > The project keys files should be dropped. > On the face of it the project keys files could be useful, however that is not > the case in practise. This is because: > * not all release signers are members of the project group > * release signing keys need to be kept even after a project goes to the attic > or the signer leaves the pmc group. > Leaving the project keys files around has may result it inappropriate usage > (as it has previously). > [Note that the individual keys are still available.] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
