[GitHub] kwin commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring

2018-10-19 Thread GitBox 
kwin commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is 
missing in keyring
URL: 
https://github.com/apache/sling-tooling-release/pull/2#issuecomment-431374168
 
 
   For exactly this reason we only trust keys within 
https://people.apache.org/keys/group/sling.asc, right? Can we just import those?


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] kwin commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring

2018-10-18 Thread GitBox 
kwin commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is 
missing in keyring
URL: 
https://github.com/apache/sling-tooling-release/pull/2#issuecomment-430990437
 
 
   If I understand correctly, we should validate if the public keys are also 
listed in https://people.apache.org/keys/group/sling.asc, as that one contains 
the trusted list of public keys (as those require ASF credentials to add 
there). For more details see 
http://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg.
 Is it possible to validate against this list?


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services