[armedbear-devel] Release signing (was Maven & ABCL)
ehuels at gmail.com
Thu Feb 10 20:46:32 UTC 2011
>> Morale: this is not terribly complicated, and it would make ABCL
>> available through another distribution channel. OTOH, I can't hide the
>> fact that - besides my own personal convenience for my shared project
>> - probably no-one is using ABCL in Maven projects right now, and
>> having ABCL released through Maven would complicate its release
>> process, not much for technical reasons but for organizational ones
>> (e.g. who keeps ABCL's GPG key? How is it managed?).
> Currently Erik maintains the GPG key we currently use for signing. Does
> anyone have a model by which we could somehow share it? It might be
> nice to start "rotating" the responsibility for the releases among the
> four core committers to help take some work off of Erik's plate.
Yes. The key I use for signing as really my own though: I use it to
sign all packages I put up for distribution: usocket (when I last
did), cl-irc, ABCL, Subversion, py-configparser and maybe others.
Within the Subversion project we had a discussion about having a
project key or not. We considered that a project key would have to be
passed from one to another person, increasing chances of the key
getting compromised. Also, the process with a single key means single
point of failure.
What we considered back then - and are still doing today - is that as
many committers as possible sign the release. Each committer signs the
variants of the release he/she verified and tested to work well.
(There is a tgz and a zip release, exactly like ours, one meant for
*nix, the other for Windows).
Having many committers sign each release reduces the dependency on
every single one of them, but also allows others to join in and maybe
have some of the older contributors flow out. Due to the fact that the
core stays the same from one release to another, the signatures are
still very well recognizable as "the official Subversion release with
its regular signatures".
I'm interested in your opinions (and how this might work with Maven).
Do you think this approach would help to lift work off my shoulders?
Do you think it's a good idea to make the signatures "mean" anything?
Do you think our group of contributors is large enough to start
collecting multiple signatures at all?
By the way, I think it's really great that we're actually having this
discussion. To me it says something about the maturity of the ABCL
project and the attitude of the committers in its community: we're a
group dedicated to setting steps in the direction of delivering mature
software with solid processes to ensure that our users are getting the
quality they deserve.
More information about the armedbear-devel