Closed toddfarmer closed 7 years ago
Note: Comment by Uwe Korn (uwe): PR: https://github.com/apache/arrow/pull/341
Note: Comment by Wes McKinney (wesm): Issue resolved by pull request 341 https://github.com/apache/arrow/pull/341
Note: Comment by Julian Hyde (julianhyde): I don't think it's a good idea to put KEYS in git. If an attacker were to compromise it they compromise the integrity of all releases. And it's pointless including it in the release tarball.
It has to be in svn, because it has to be on the site, but there should be no other copies.
Note: Comment by Uwe Korn (uwe): I just followed the example of parquet-mr / aurora about this. Sadly https://www.apache.org/dev/release-signing.html#keys-policy doesn't provide a statement about whether to put it in git or not, so the only source for it was "how do others do it?".
Note: Comment by Julian Hyde (julianhyde): I recall some older & wiser folks suggesting to remove KEYS from the git repo, but I can't find the email thread now I look for it. If you look at some of the more security-oriented projects (knox, hadoop, ranger, sentry, httpd) none of them have a KEYS file checked in. (Calcite does, and yes, we should fix it.)
Note: This issue was originally created as ARROW-558. Please see the migration documentation for further details.
Original Issue Description:
Yet the KEYS file is only on SVN but not in git, also I need a PMC to update it on the SVN, seems like I cannot do this as a committer.
Related issues:
307 (blocks)
Migrated issue participants:
Reporter: Uwe Korn (uwe) Assignee: Uwe Korn (uwe)