Well I guess the debate is because of Groovy and our use of robot keys, so "should" vs "must". If it's a should, I think we're ok. The reason we use robot signing is automation. We want to avoid as many human intervention in the release process as possible. That is to say, in the end, the whole release process should be automated, only checking the artifacts should be human based. This is not possible if we involve individual signatures. Basically, for Groovy, before joining Apache, we used to automate everything but checking the artifacts. It worked pretty well so far... Of course one option is to put our private keys into the CI server but ahem... I don't really like the idea of having my private key in the wild.
2015-06-08 14:50 GMT+02:00 Jake Farrell <[email protected]>: > The release manager should use their individual key, details on signing and > keys are available at [1] > > -Jake > > [1]: http://www.apache.org/dev/release-signing.html > > On Mon, Jun 8, 2015 at 2:59 AM, Roman Shaposhnik <[email protected]> wrote: > > > Hi! > > > > my recollection is that the collective opinion > > was to discourage the use of KEYS of robots > > for signing the releases and prefer individuals > > do that with their keys. > > > > I remember a thread to that effect, but I cant > > google it. Am I misremembering? > > > > Thanks, > > Roman. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
