On Dec 20, 2007 5:08 PM, Marshall Schor <msa@schor.com> wrote:
> Robert Burrell Donkin wrote:
> > /dist/incubator/uima now exists on people. feel free to upload the
> > latest release, sums, sigs, KEYS and documentation. the release
> > shouldn't be announced until the mirroring script is done and tests
> > but there's no need for the upload to wait on the script.
> >
> > NB
> >
> > 1. ***NEVER*** alter any document placed in dist
> >
> Robert - several of the projects we see have a file "KEYS" at the top
> level.  As new people join the set of code-signers, I presume this file
> would be altered?  In dist/httpd, the date of the KEYS file is quite recent.
>
> So - is a KEYS file an exception to #1 above?

yes

> If so, what is the underlying principal for #1?

specifically the released artifacts should never be changed. (for
security, release artifacts in dist are scanned for changes.) if any
problems are found with a release after it's been uploaded to dist, a
new release should be cut with a new release number rather than
replacing the old one.

- robert