[all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Amey Jadiye
I observed we have lot of keys in https://www.apache.org/dist/commons/KEYS,
even keys of developers who might have resigned from commons, can we just
review and  remove keys of developers who resigned or no more active ?

Regards,
Amey

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

garydgregory
There is no criteria for "not active"; either you are a committer or you
are not per: https://people.apache.org/phonebook.html?unix=commons

Gary

On Tue, Jul 18, 2017 at 11:21 AM, Amey Jadiye <[hidden email]> wrote:

> I observed we have lot of keys in https://www.apache.org/dist/commons/KEYS
> ,
> even keys of developers who might have resigned from commons, can we just
> review and  remove keys of developers who resigned or no more active ?
>
> Regards,
> Amey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

garydgregory
Also, the KEYS list can include ANY Apache Committer, not just members
Apache Commons.

IOW, I think the only people to remove are people that no longer are Apache
Committers.

Gary

On Tue, Jul 18, 2017 at 11:25 AM, Gary Gregory <[hidden email]>
wrote:

> There is no criteria for "not active"; either you are a committer or you
> are not per: https://people.apache.org/phonebook.html?unix=commons
>
> Gary
>
> On Tue, Jul 18, 2017 at 11:21 AM, Amey Jadiye <[hidden email]>
> wrote:
>
>> I observed we have lot of keys in https://www.apache.org/dist/co
>> mmons/KEYS,
>> even keys of developers who might have resigned from commons, can we just
>> review and  remove keys of developers who resigned or no more active ?
>>
>> Regards,
>> Amey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Rob Tompkins
In reply to this post by garydgregory


> On Jul 18, 2017, at 2:25 PM, Gary Gregory <[hidden email]> wrote:
>
> There is no criteria for "not active"; either you are a committer or you
> are not per: https://people.apache.org/phonebook.html?unix=commons
>

It feels like a bad idea because we may have very old releases that could still be verified by using the archaic keys in the file.

My 2 cents,
-Rob

> Gary
>
>> On Tue, Jul 18, 2017 at 11:21 AM, Amey Jadiye <[hidden email]> wrote:
>>
>> I observed we have lot of keys in https://www.apache.org/dist/commons/KEYS
>> ,
>> even keys of developers who might have resigned from commons, can we just
>> review and  remove keys of developers who resigned or no more active ?
>>
>> Regards,
>> Amey
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Amey Jadiye
In reply to this post by garydgregory
How about developers who resigned ? It means whoever sent mail that they
are not willing to be the part of community.?

I think keeping keys of  non-active developers of Ok.

Ex.
James have resigned http://commons.markmail.org/message/i2davy3nf4fr7xqp
But I can see his key.

pub   1024D/9EEDB2D5 2006-04-14
uid                  James Carman <[hidden email]>
sig 3        9EEDB2D5 2006-04-14  James Carman <[hidden email]>
sub   2048g/4240E713 2006-04-14
sig          9EEDB2D5 2006-04-14  James Carman <[hidden email]>


Also I see lot of people resigned here
http://commons.markmail.org/message/2fzh5qgwhppkdslj

Regards,
Amey


On Tue, Jul 18, 2017 at 11:55 PM, Gary Gregory <[hidden email]>
wrote:

> There is no criteria for "not active"; either you are a committer or you
> are not per: https://people.apache.org/phonebook.html?unix=commons
>
> Gary
>
> On Tue, Jul 18, 2017 at 11:21 AM, Amey Jadiye <[hidden email]>
> wrote:
>
> > I observed we have lot of keys in https://www.apache.org/dist/
> commons/KEYS
> > ,
> > even keys of developers who might have resigned from commons, can we just
> > review and  remove keys of developers who resigned or no more active ?
> >
> > Regards,
> > Amey
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>



--

---------------------------------------------------------------------

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Stefan Bodewig
In reply to this post by Amey Jadiye
On 2017-07-18, Amey Jadiye wrote:

> I observed we have lot of keys in https://www.apache.org/dist/commons/KEYS,
> even keys of developers who might have resigned from commons, can we just
> review and  remove keys of developers who resigned or no more active ?

We shouldn't remove any key that has been used to sign a release in the
past. No matter how long in the past :-)

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

garydgregory
On Tue, Jul 18, 2017 at 1:02 PM, Stefan Bodewig <[hidden email]> wrote:

> On 2017-07-18, Amey Jadiye wrote:
>
> > I observed we have lot of keys in https://www.apache.org/dist/
> commons/KEYS,
> > even keys of developers who might have resigned from commons, can we just
> > review and  remove keys of developers who resigned or no more active ?
>
> We shouldn't remove any key that has been used to sign a release in the
> past. No matter how long in the past :-)
>

+1

Gary


>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Amey Jadiye
In reply to this post by Stefan Bodewig
fair enough not to remove keys ;) , Thanks.

Regards,
Amey

On Wed, Jul 19, 2017, 1:32 AM Stefan Bodewig <[hidden email]> wrote:

> On 2017-07-18, Amey Jadiye wrote:
>
> > I observed we have lot of keys in
> https://www.apache.org/dist/commons/KEYS,
> > even keys of developers who might have resigned from commons, can we just
> > review and  remove keys of developers who resigned or no more active ?
>
> We shouldn't remove any key that has been used to sign a release in the
> past. No matter how long in the past :-)
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Jörg Schaible-5
In reply to this post by Amey Jadiye
Hi Amey

Amey Jadiye wrote:

> I observed we have lot of keys in
> https://www.apache.org/dist/commons/KEYS, even keys of developers who
> might have resigned from commons, can we just
> review and  remove keys of developers who resigned or no more active ?

IMHO it depends on whether a key was used to sign a release.

Cheers,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Matt Sicker
In reply to this post by Stefan Bodewig
On 18 July 2017 at 15:02, Stefan Bodewig <[hidden email]> wrote:
>
> We shouldn't remove any key that has been used to sign a release in the
> past. No matter how long in the past :-)
>

What about expired keys?

--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

garydgregory
On Jul 19, 2017 08:43, "Matt Sicker" <[hidden email]> wrote:

On 18 July 2017 at 15:02, Stefan Bodewig <[hidden email]> wrote:
>
> We shouldn't remove any key that has been used to sign a release in the
> past. No matter how long in the past :-)
>

What about expired keys?


Can't those still be used to validate old releases?

Gary


--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [all] Removal of old pgp key from https://www.apache.org/dist/commons/KEYS

Matt Sicker
I think so.

On 19 July 2017 at 10:46, Gary Gregory <[hidden email]> wrote:

> On Jul 19, 2017 08:43, "Matt Sicker" <[hidden email]> wrote:
>
> On 18 July 2017 at 15:02, Stefan Bodewig <[hidden email]> wrote:
> >
> > We shouldn't remove any key that has been used to sign a release in the
> > past. No matter how long in the past :-)
> >
>
> What about expired keys?
>
>
> Can't those still be used to validate old releases?
>
> Gary
>
>
> --
> Matt Sicker <[hidden email]>
>



--
Matt Sicker <[hidden email]>