It seems to me that KEYS in the release is somewhat counterproductive. The goal here is to allow and encourage consumers to independently verify signatures. That calls for KEYS somewhere else than inside the package.
On Mon, Jun 27, 2011 at 7:10 AM, Daniel Shahaf <d...@daniel.shahaf.name> wrote: > Jukka Zitting wrote on Mon, Jun 27, 2011 at 11:07:11 +0200: >> Hi, >> >> On Mon, Jun 27, 2011 at 6:32 AM, Noel J. Bergman <n...@devtech.com> wrote: >> > It seems to me to be a bad idea to distribute keys with releases. And >> > don't >> > we already have some ASF-wide policy for managing keys? >> >> http://www.apache.org/dev/release-signing.html#keys-policy >> http://incubator.apache.org/guides/releasemanagement.html#distribution-signing >> >> The latter spells out the preferred KEYS file location: "Each podling >> should maintain its own KEYS file directly in the podling distribution >> directory." >> > > The latter predates https://people.apache.org/keys/. I don't know if > the IPMC ever considered which of the two it prefers. > >> BR, >> >> Jukka Zitting >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
