qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: Question about PGP signing keys location for Qpid project
Date Wed, 02 Dec 2015 17:01:18 GMT
On 2 December 2015 at 16:20, Oleksandr Rudyy <orudyy@gmail.com> wrote:
> Hi all,
> Whilst performing release tasks for qpid java components of version 6.0.0 I
> realized that KEYS file [1] referred from Qpid download page [2] is
> actually not up to date.
> As far as I understood currently public PGP signing keys for qpid project
> are kept in [3].
> I am not sure why download page refers public keys from [1]. Is it
> intentional?
> If yes, what is the rationale behind that?
> If not, we need to update download page to refer keys from [2].
> Kind Regards,
> Alex
> [1] http://www.apache.org/dist/qpid/KEYS
> [2] https://qpid.apache.org/download.html#verify-what-you-download
> [3] https://people.apache.org/keys/group/qpid.asc

Great timing, I was also planning a mail on the subject as I had
grabbed your key from
https://people.apache.org/keys/committer/orudyy.asc earlier to verify
the files.

Long ago, when the bits were put in place for
https://people.apache.org/keys/<foo> (files are available for
individual committers, committer groups, and pmc groups) I think the
idea was that folks could transition to using that as the source for
their keys. Traditionally the source was just a KEYS file in the
source repository, but this can be a little cumbersome and certainly
becomes a bit more awkward when you have multiple repositories as we
now do.

Having a KEYS file on the main dist area (populated from the generated
file) still seems reasonable enough given it is the primary source,
contains the other files, and is explicitly updated. Like the sig
files, I don't believe it gets mirrored. Pointing directly to the
auto-generated files also seems reasonable enough (one thought that
just popped into my mind is that people.apache.org is being
transitioned away, with home dirs moving to home.apache.org soon, and
other services to be addressed when the time comes, not sure if that
will have any impact here). Both seem like improvement over keeping
the current source file in SVN, particularly when many of the
components now live in other repos.


To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message