Correct process for signing keys?

2013-06-01 Thread Andrew Phillips 

Hi all

Apologies in advance if this is not the correct audience for this  
question: what is the correct process now for publishing signing keys  
for releases? jclouds currently has a KEYS file [1]; there is another  
(different) file containing keys in the groups list [2] on  
people.apache, and most individual committers *also* have their  
personal keys automatically retrieved via people.apache (e.g. [3]).


In an email thread on this topic Brian (McCallister) indicated that:

Upon investigation, if release signing keys are published via  
https://people.apache.org/keys/ then we don't need a KEYS file and  
should remove it.


-Brian


In that case, I'd be grateful if you could give some guidance on what  
the validity of the other approaches (KEYS file published somewhere or  
group KEYS file) is, and what we should do with those files, if  
anything.


Thanks!


Andrew

[1] http://www.apache.org/dist/incubator/jclouds/KEYS
[2] https://people.apache.org/keys/group/jclouds.asc
[3] https://people.apache.org/keys/committer/andrewp.asc

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Correct process for signing keys?

2013-06-02 Thread Christian Grobmeier 
Hi Andrew,

here are some basic docs:

http://www.apache.org/dev/release-signing.html
http://www.apache.org/dev/openpgp.html#update

I could not find information on your specific question. At log4php we were
curious recently about the same and decided to go with this:
http://www.apache.org/dist/logging/log4php/KEYS

But we made sure it would match this:
https://people.apache.org/keys/group/logging-pmc.asc

Basically my understanding is the one from people would be fine alone.
There is some danger people would take the KEYS file from a mirror which is
to my knowledge not possible from people.

My 2 cents- hopefully somebody with more knowledge on that matter (infra)
can add a note.

Cheers



On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips wrote:

> Hi all
>
> Apologies in advance if this is not the correct audience for this
> question: what is the correct process now for publishing signing keys for
> releases? jclouds currently has a KEYS file [1]; there is another
> (different) file containing keys in the groups list [2] on people.apache,
> and most individual committers *also* have their personal keys
> automatically retrieved via people.apache (e.g. [3]).
>
> In an email thread on this topic Brian (McCallister) indicated that:
>
>  Upon investigation, if release signing keys are published via
>> https://people.apache.org/**keys/  then
>> we don't need a KEYS file and should remove it.
>>
>> -Brian
>>
>
> In that case, I'd be grateful if you could give some guidance on what the
> validity of the other approaches (KEYS file published somewhere or group
> KEYS file) is, and what we should do with those files, if anything.
>
> Thanks!
>
>
> Andrew
>
> [1] 
> http://www.apache.org/dist/**incubator/jclouds/KEYS
> [2] 
> https://people.apache.org/**keys/group/jclouds.asc
> [3] 
> https://people.apache.org/**keys/committer/andrewp.asc
>
> --**--**-
> To unsubscribe, e-mail: 
> general-unsubscribe@incubator.**apache.org
> For additional commands, e-mail: 
> general-help@incubator.apache.**org
>
>


-- 
http://www.grobmeier.de
https://www.timeandbill.de

RE: Correct process for signing keys?

2013-06-02 Thread Dennis E. Hamilton 
@Christian

The other advantage of the people list is that it is automatically updated from 
the federation of PGP key servers so it reflects the latest "web of trust" and 
also, I presume, any revocation.  

In some cases, PMC wide is a bit too generous though.  I think the release 
manager's Apache ID is better, using <https://people.apache.org/keys/.asc>. 
 This is probably more confidence-inspiring that the web of trust itself for 
those who do not participate in Apache projects and don't know who those folks 
who've counter-signed the certificate happen to be.  In that case, the lock to 
an ASF committer is valuable.  (It is unfortunate that committers and 
especially release managers are often not visible by their @apache.org, 
thus providing even more confidence in the connection for observers.)

 - Dennis

PS: I notice I just did the thing I'm complaining about.  But I don't think 
orcmid@ a.o is subscribed to this list [;<).

-Original Message-
From: Christian Grobmeier [mailto:grobme...@gmail.com] 
Sent: Sunday, June 2, 2013 01:24 AM
To: general@incubator.apache.org
Subject: Re: Correct process for signing keys?

Hi Andrew,

here are some basic docs:

http://www.apache.org/dev/release-signing.html
http://www.apache.org/dev/openpgp.html#update

I could not find information on your specific question. At log4php we were
curious recently about the same and decided to go with this:
http://www.apache.org/dist/logging/log4php/KEYS

But we made sure it would match this:
https://people.apache.org/keys/group/logging-pmc.asc

Basically my understanding is the one from people would be fine alone.
There is some danger people would take the KEYS file from a mirror which is
to my knowledge not possible from people.

My 2 cents- hopefully somebody with more knowledge on that matter (infra)
can add a note.

Cheers



On Thu, May 30, 2013 at 10:44 PM, Andrew Phillips wrote:

> Hi all
>
> Apologies in advance if this is not the correct audience for this
> question: what is the correct process now for publishing signing keys for
> releases? jclouds currently has a KEYS file [1]; there is another
> (different) file containing keys in the groups list [2] on people.apache,
> and most individual committers *also* have their personal keys
> automatically retrieved via people.apache (e.g. [3]).
>
> In an email thread on this topic Brian (McCallister) indicated that:
>
>  Upon investigation, if release signing keys are published via
>> https://people.apache.org/**keys/ <https://people.apache.org/keys/> then
>> we don't need a KEYS file and should remove it.
>>
>> -Brian
>>
>
> In that case, I'd be grateful if you could give some guidance on what the
> validity of the other approaches (KEYS file published somewhere or group
> KEYS file) is, and what we should do with those files, if anything.
>
> Thanks!
>
>
> Andrew
>
> [1] 
> http://www.apache.org/dist/**incubator/jclouds/KEYS<http://www.apache.org/dist/incubator/jclouds/KEYS>
> [2] 
> https://people.apache.org/**keys/group/jclouds.asc<https://people.apache.org/keys/group/jclouds.asc>
> [3] 
> https://people.apache.org/**keys/committer/andrewp.asc<https://people.apache.org/keys/committer/andrewp.asc>
>
> --**--**-
> To unsubscribe, e-mail: 
> general-unsubscribe@incubator.**apache.org
> For additional commands, e-mail: 
> general-help@incubator.apache.**org
>
>


-- 
http://www.grobmeier.de
https://www.timeandbill.de


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: Correct process for signing keys?

2013-06-02 Thread Andrew Phillips 

Hi Christian, Dennis

Thanks for your responses and the links provided. By the sounds of it  
we're all roughly in the same position: aware of the different options  
and not 100% certain which is the current "correct" one, or if indeed  
all options are equally valid. Unfortunately, the docs also do seem to  
clearly identify which, if any, of the options is preferred.


@IPMC: would it be correct to infer that, at the present, time, a  
group or project KEYS file is fine but simply ensuring the release  
managers' keys are available from people.apache would be sufficient  
or, indeed, preferable?


Thanks!

ap

--
Andrew Phillips
jclouds

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Correct process for signing keys?

2013-06-02 Thread Benson Margulies 
I think that the RM _must_ have a key, that the key must be part of a
KEYS file in svn/git, and that it _should_ be uploaded into their
Apache account, and it is more better if it is signed into the GWOT
(global web of trust).

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: Correct process for signing keys?

2013-06-02 Thread Andrew Bayer 
Well, I've got the first three, and will bug coworkers in the GWOT to sign
my key next week. =)

A.

On Sun, Jun 2, 2013 at 2:13 PM, Benson Margulies wrote:

> I think that the RM _must_ have a key, that the key must be part of a
> KEYS file in svn/git, and that it _should_ be uploaded into their
> Apache account, and it is more better if it is signed into the GWOT
> (global web of trust).
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>