William A. Rowe, Jr. wrote: > [EMAIL PROTECTED] wrote: >> Author: markt >> Date: Sat Nov 15 04:59:01 2008 >> New Revision: 714246 >> >> URL: http://svn.apache.org/viewvc?rev=714246&view=rev >> Log: >> Update KEYS with changes from 6.0.x (Remy updated his key) > >> -pub 1024D/41E49465 2006-11-08 >> - Key fingerprint = 80FF 76D8 8A96 9FE4 6108 558A 80B9 53A0 41E4 9465 >> -uid Remy Maucherat <[EMAIL PROTECTED]> >> -sig 3 41E49465 2006-11-08 Remy Maucherat <[EMAIL PROTECTED]> >> -sub 4096g/D07A28EB 2006-11-08 >> -sig 41E49465 2006-11-08 Remy Maucherat <[EMAIL PROTECTED]> >> +pub 1024D/288584E7 2008-07-02 >> +uid Rémy Maucherat <[EMAIL PROTECTED]> >> +sub 4096g/4B6FAEFB 2008-07-02 > > Hmmm... if anything is signed with 41E49465 or its subkeys, that key should > not be pulled from KEYS. Adding a new key is sufficient.
For trunk, we haven't done any releases so this isn't an issue. For 6.0.x, the old key was used to sign releases so it is actually this commit that needs to be fixed: http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=674323 I'll get that done shortly. > If he has revoked key 41E49465, files signed in http://archive.apache.org/ > are now suspect and must be pulled down, and re-signed. Quite a PITA. 41E49465 has not been revoked. > Hopefully 41E49465 is not comprimized and could still sign 2288584E7 as > its descendant (full-trust), which solves the problem of the limited # > of signatures on a brand new key. It would, if Remy's old key had more signatures that his new one. pgp.mit.edu is reporting just the one for both. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
