[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

pgp keys for signing releases

From: Stefan <luke1410_at_gmx.de>
Date: Thu, 28 Apr 2016 01:14:56 +0200


finishing up the creation of my apache key for signing SVN releases I
ran into some details in the docs which seem to be outdated/unclear to me:

The SVN community-guide [1] states:
"Members of the PMC, as well as enthusiastic community members are
encourages to download the tarballs from the preliminary distribution
location, run the tests, and then provide their signatures. The public
keys for these signatures should be included in the ASF LDAP instance
through id.apache.org <https://id.apache.org/>. (A list of the current
public keys <https://people.apache.org/keys/group/subversion-pmc.asc>
for members of the Subversion PMC is autogenerated from LDAP each day.)"

1. on id.apache.org I seem to only be able to specify the fingerprint of
my key, but I can't find a way to upload the complete public key. Is
this outdated? Is the process now picking up the key from the public
keyservers based on the fingerprint I enter there?
2. The link to the "current public keys" causes a 404 to me. I take it
this one is the correct/new link (taken from releases.py):
3. If the new link I mention in no 2 is right, does the absence of the
"-pmc" in the filename mean that that file contains now all keys from
all contributors (including the partial contributers) instead of only
the ones from the PMC and hence my key will be added automatically too
without me having to do anything else?

On the other hand the Apache release signing documentation [2] states:
"The KEYS file is stored alongside the release archives to which it
applies, e.g. at the top level of the ASF mirror area for the project.
This is to ensure that it is available for download by users, and that
it is automatically archived with historic releases.
*Note:* this system will be replaced by a better process in the near
future. In preparation, please ensure that public keys are connected as
strongly as possible to the Apache web of trust
<http://www.apache.org/dev/release-signing.html#web-of-trust> and are
available from the major public key servers

4. Am I assuming right that this process already took place and the
reference of having to manually my public key to the KEYS file is
therefore obsolete? If not, where is the file located for the Subversion
project. I didn't find it on dist/subversion and failed to locate it on

While writing this mail, I see that here's [3] now a list of
(presumably) all Apache committers and my key is also listed there. So I
take it that everything worked and all the other steps I read on the
documentation are no longer required indeed, no?


[2] http://www.apache.org/dev/release-signing.html#keys-policy
[3] https://people.apache.org/keys/committer/
Received on 2016-04-28 01:15:02 CEST

This is an archived mail posted to the Subversion Dev mailing list.