[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: pgp keys for signing releases

From: Stefan Hett <stefan_at_egosoft.com>
Date: Thu, 28 Apr 2016 12:49:02 +0200

Hi,
>
> Not entirely sure, but I think you should still publish your pgp key
> to the major key stores. Once you put your fingerprint on
> id.apache.org, it knows how to fetch your key from there.
>
Yep did that and it seems to have worked. So I take it I'm all fine
here. :-)
>
> *From: *Stefan <mailto:luke1410_at_gmx.de>
> *Sent: *donderdag 28 april 2016 01:15
> *To: *dev_at_subversion.apache.org <mailto:dev_at_subversion.apache.org>
> *Subject: *pgp keys for signing releases
>
> Hi,
>
> finishing up the creation of my apache key for signing SVN releases I
> ran into some details in the docs which seem to be outdated/unclear to me:
>
> The SVN community-guide [1] states:
> "Members of the PMC, as well as enthusiastic community members are
> encourages to download the tarballs from the preliminary distribution
> location, run the tests, and then provide their signatures. The public
> keys for these signatures should be included in the ASF LDAP instance
> through id.apache.org <https://id.apache.org/>. (A list of the current
> public keys <https://people.apache.org/keys/group/subversion-pmc.asc>
> for members of the Subversion PMC is autogenerated from LDAP each day.)"
>
> 1. on id.apache.org I seem to only be able to specify the fingerprint
> of my key, but I can't find a way to upload the complete public key.
> Is this outdated? Is the process now picking up the key from the
> public keyservers based on the fingerprint I enter there?
> 2. The link to the "current public keys" causes a 404 to me. I take it
> this one is the correct/new link (taken from releases.py):
> https://people.apache.org/keys/group/subversion.asc
> 3. If the new link I mention in no 2 is right, does the absence of the
> "-pmc" in the filename mean that that file contains now all keys from
> all contributors (including the partial contributers) instead of only
> the ones from the PMC and hence my key will be added automatically too
> without me having to do anything else?
>
> On the other hand the Apache release signing documentation [2] states:
> "The KEYS file is stored alongside the release archives to which it
> applies, e.g. at the top level of the ASF mirror area for the project.
> This is to ensure that it is available for download by users, and that
> it is automatically archived with historic releases.
> [...]
> *Note:* this system will be replaced by a better process in the near
> future. In preparation, please ensure that public keys are connected
> as strongly as possible to the Apache web of trust
> <http://www.apache.org/dev/release-signing.html#web-of-trust> and are
> available from the major public key servers
> <http://www.apache.org/dev/release-signing.html#keyserver>."
>
> 4. Am I assuming right that this process already took place and the
> reference of having to manually my public key to the KEYS file is
> therefore obsolete? If not, where is the file located for the
> Subversion project. I didn't find it on dist/subversion and failed to
> locate it on subversion/trunk.
>
> While writing this mail, I see that here's [3] now a list of
> (presumably) all Apache committers and my key is also listed there. So
> I take it that everything worked and all the other steps I read on the
> documentation are no longer required indeed, no?
>
> Regards,
> Stefan
>
> [1]
> https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
> [2] http://www.apache.org/dev/release-signing.html#keys-policy
> [3] https://people.apache.org/keys/committer/
>

-- 
Regards,
Stefan Hett
Received on 2016-04-28 12:49:13 CEST

This is an archived mail posted to the Subversion Dev mailing list.