RE: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
Regarding (4), Once you've created the signature file, simply prepend text to it in front of the -BEGIN PGP SIGNATURE- line. You can have something like Signature by Release Manager Jordan Zimmerman Public Key Certificate: https://people.apache.org/keys/committer/randgalt.asc -BEGIN PGP SIGNATURE- [ ... ] I suppose it would be useful to also link to a page on how to check the signature. It seems strange to have that in the clear, but it is harmless. I just confirmed that text in front of the initial ASCII armor line is simply ignored by GnuPG and I suspect all other PGP signature verification implementations. - Dennis PS: Here's a page that describes how to check, although a group of keys is recommended in that case: http://www.openoffice.org/download/checksums/3.4.1_checksums.html#howto. -Original Message- From: Jordan Zimmerman [mailto:randg...@apache.org] Sent: Wednesday, May 01, 2013 15:54 To: general@incubator.apache.org Subject: Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated) 1. Add a UID having your Apache ID, randgalt@ apache.org, in that PGP public-key certificate. You can indicate that it is your preference for code signing, if you desire. That UID is there already. Can you explain what's missing? 2. Log into your randgalt@ a.o profile at https://id.apache.org/ and provide the fingerprint of your key as part of your profile. done 3. BONUS RECOMMENDATION. Do not put a copy of the public key in the repository. Already removed. My .asc file should show up in /keys/committer/ soon. 4. GRAND PRIZE RECOMMENDATION. For all external signatures that you create, add to the ascii-armored signature text (outside of the armor) a link to https://people.apache.org/keys/committer/randgalt.asc. No comprende. I'll research how to do this. -JZ - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
I've completely misunderstood this process and need to take this back to curator-dev. FYI -Jordan - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
Next time please provide a link to the tag in the source code control system. That's needed to trace provenance of the files in the source release. On 1 May 2013 19:02, Jordan Zimmerman jor...@jordanzimmerman.com wrote: I've completely misunderstood this process and need to take this back to curator-dev. FYI -Jordan - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
On Wed, May 1, 2013 at 4:06 PM, sebb seb...@gmail.com wrote: Next time please provide a link to the tag in the source code control system. That's needed to trace provenance of the files in the source release. While we are at it, a link to your project's KEYS file would be helpful as well. --David - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
On Wed, May 1, 2013 at 1:07 PM, David Nalley da...@gnsa.us wrote: While we are at it, a link to your project's KEYS file would be helpful as well. Just unzip the archive. ;) Curator folks, please find another way to distribute the KEYS file. Distributing it embedded in the source archive is worthless at best. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
That was (yet another) misunderstanding on my part. The KEYS are now in the standard (?) location: http://www.apache.org/dist/incubator/curator/KEYS On May 1, 2013, at 1:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Wed, May 1, 2013 at 1:07 PM, David Nalley da...@gnsa.us wrote: While we are at it, a link to your project's KEYS file would be helpful as well. Just unzip the archive. ;) Curator folks, please find another way to distribute the KEYS file. Distributing it embedded in the source archive is worthless at best. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
Four suggestions: 1. Add a UID having your Apache ID, randgalt@ apache.org, in that PGP public-key certificate. You can indicate that it is your preference for code signing, if you desire. 2. Log into your randgalt@ a.o profile at https://id.apache.org/ and provide the fingerprint of your key as part of your profile. This will accomplish two things: (1) It establishes that the fingerprint was provided by someone having the ASF credentials for randgalt@ a.o; (2) it causes the public key to be added to a secure location as file https://people.apache.org/keys/committer/randgalt.asc. That file is regularly synchronized with PGP key services and confirms that it is the key provided by randgalt@ in step (1) and also reflects (web-of-trust) certifications of that key by others as well as any revocation if that becomes necessary. 3. BONUS RECOMMENDATION. Do not put a copy of the public key in the repository. Instead, put a link to https://people.apache.org/keys/committer/randgalt.asc there, if desired. If it is in a file called KEYS, update the instructions to refer to the locations in the committer keys folder. (If there will be many release managers and signers in the future, you can instead instruct users to obtain all Curator committer keys from https://people.apache.org/keys/group/curator.asc once Curator becomes an ASF top-level project.) 4. GRAND PRIZE RECOMMENDATION. For all external signatures that you create, add to the ascii-armored signature text (outside of the armor) a link to https://people.apache.org/keys/committer/randgalt.asc. The idea is to use access to your Apache profile as an additional factor beyond your self-signing of the certificate and any web-of-trust certifications of your certificate. It also lets those non-ASF folk who desire to verify signatures know whose signature the verification is expected to confirm and that the signer is an ASF committer. - Dennis -Original Message- From: Jordan Zimmerman [mailto:jor...@jordanzimmerman.com] Sent: Wednesday, May 01, 2013 13:39 To: general@incubator.apache.org Subject: Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated) That was (yet another) misunderstanding on my part. The KEYS are now in the standard (?) location: http://www.apache.org/dist/incubator/curator/KEYS On May 1, 2013, at 1:32 PM, Marvin Humphrey mar...@rectangular.com wrote: On Wed, May 1, 2013 at 1:07 PM, David Nalley da...@gnsa.us wrote: While we are at it, a link to your project's KEYS file would be helpful as well. Just unzip the archive. ;) Curator folks, please find another way to distribute the KEYS file. Distributing it embedded in the source archive is worthless at best. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [CANCEL] [VOTE] Release Apache Curator 2.0.0-incubating (updated)
1. Add a UID having your Apache ID, randgalt@ apache.org, in that PGP public-key certificate. You can indicate that it is your preference for code signing, if you desire. That UID is there already. Can you explain what's missing? 2. Log into your randgalt@ a.o profile at https://id.apache.org/ and provide the fingerprint of your key as part of your profile. done 3. BONUS RECOMMENDATION. Do not put a copy of the public key in the repository. Already removed. My .asc file should show up in /keys/committer/ soon. 4. GRAND PRIZE RECOMMENDATION. For all external signatures that you create, add to the ascii-armored signature text (outside of the armor) a link to https://people.apache.org/keys/committer/randgalt.asc. No comprende. I'll research how to do this. -JZ - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org