16 Aug
2011
16 Aug
'11
4:31 p.m.
On 08/16/2011 10:21 AM, Fabio Mancinelli wrote:
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
Yes, that's what I was thinking as well last night. And the XWiki.org
master key should be signed by a trusted authority.
-Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
>
>
> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>> Hi,
>>>
>>> I think we should start signing our artifacts using PGP as explained here:
>>>
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
>>>
>>> Here's my +1
>>
>> +1.
>>
>> Do we use only one key, installed on the release machine? It should be
>> protected by a strong passphrase.
>
> +1
> I really don't like the "one key on the release box" idea.
> IMO each release manager should sign with their key which ofc never leaves their own
computer.
>
> Caleb
>
>>
>>>
>>> Thanks
>>> -Vincent
>>>
>>> PS: I we agree I can commit the changes required to our top level POM to
implement this (I have them locally already)
>>
>> PS2: When's the release user ready on one of the new agents?
>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/