2015-06-08 17:41 GMT+02:00 David Nalley <[email protected]>: > On Mon, Jun 8, 2015 at 9:40 AM, Cédric Champeau > <[email protected]> wrote: > > We are not using the Apache CI servers for that but our own CI server. > IMHO > > you should make a difference between building and checking. Building > should > > be automated as much as possible. Checking the release is a human job. > > There are lots of reasons why we stopped releasing from a local computer > > years ago. > > Who has access to the keys? How are they secured, and what's the plan > for going forward with that? (and this should all be documented) I ask > this because I know of more than one project that has had a > 'centralized key' to sign with; but which the PMC didn't control; and > that eventually caused problems when the person with access to the key > disappeared from the community. >
The key is on the CI server. All PMC members have access to it. It is also on Bintray. I have signed the key too.
