Tibor Digana created MNG-5746:
---------------------------------
Summary: Obsolete instructions in
http://maven.apache.org/developers/release/pmc-gpg-keys.html
Key: MNG-5746
URL: https://jira.codehaus.org/browse/MNG-5746
Project: Maven
Issue Type: Bug
Components: Documentation: General
Environment: GnuPG
Reporter: Tibor Digana
Priority: Critical
Me as a new Committer had to register public GnuPG key. Few parts of this
documentation were not maintained as it seems.
http://maven.apache.org/developers/release/pmc-gpg-keys.html
The DSA algorithm is nowadays considered not secure enough. Therefore RSA
should be chosen:
(1) DSA and Elgamal (default)
Your selection? 1
DSA keypair will have 1024 bits.
DSA Key size is nowadays too short even for RSA and should be 4096:
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Password was not entered. Here we have different opinions. From my PoV no
password might be ok for signature verification. The Committers use to keep
their keys in .gpg folder on their private laptops and they do not distribute
them in CI systems.
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)