On Fri, 15 Mar 2019 at 00:09, Nick Kew <[email protected]> wrote: > > > > > On 14 Mar 2019, at 17:49, Dave Fisher <[email protected]> wrote: > > > > Hi - > > > > I’ve been reviewing releases and you are missing your KEYS file from > > https://dist.apache.org/repos/dist/release/incubator/myriad/ > > <https://dist.apache.org/repos/dist/release/incubator/myriad/> > > > > Your site should refer users to the KEYS file at > > https://www.apache.org/dist/incubator/myriad/KEYS > > <https://www.apache.org/dist/incubator/myriad/KEYS> > > ASF maintains foundation-wide keys at > https://people.apache.org/keys/committer/ . > Isn't that a better resource to reference than for individual projects to > replicate KEYS? > Especially for the many folks who are involved with multiple projects!
The KEYS file only needs to contain keys for people who sign releases. Also it needs to be stored on the archive server so people can validate historic releases. For this reason, keys should not be removed from the file. The key files at people.apache.org are not really suitable for download validation. > -- > Nick Kew > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
