Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarifications #334

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Clarifications #334

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a16c0fc
Clarifications
sebbASF Dec 28, 2023
19e1165
Grammar
sebbASF Dec 28, 2023
6c65ce5
Tweak wording
sebbASF Dec 28, 2023
c404bdc
Update release-policy.md
sebbASF Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions content/legal/release-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,19 @@ contain compiled code.

#### Release signing {#release-signing}

All supplied packages MUST be cryptographically signed with a detached signature.
It MUST be signed by either the Release Manager or the automated release
All supplied packages MUST be cryptographically signed with an ASCII-armored detached signature.
They MUST be signed by either the Release Manager or the automated release
Copy link
Member

@tisonkun tisonkun Jan 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we mention that a RM signature should use <username>@apache.org as its mail address?

Also, how do we view/recomment a multiple addresses signature, like:

apache-pekko-grpc-1.0.2-incubating-src-20231229.tgz
gpg: Signature made 六 12/30 00:39:42 2023 CST
gpg:                using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13
gpg: Good signature from "PJ Fanning (GitHub noreply address) <[email protected]>" [unknown]
gpg:                 aka "PJ Fanning <[email protected]>" [unknown]
gpg:                 aka "PJ Fanning (http://www.apache.org/) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6BA4 DA8B 1C88 A494 28A2  9C3D 0C69 C1EF 4118 1E13

@wu-sheng once found that such a signature may not display fully on some signature viewers (that display only the first mail address).

infrastructure, where the underlying implementation MUST follow the principles
[outlined](/dev/release-signing.html#automated-release-signing) by the Apache
Security Team. All supplied packages MUST use a detached signature. Those who
Security Team. Those who
vote +1 for release MAY offer their own cryptographic signature to be concatenated
with the detached signature file (at the Release Manager's discretion)
prior to release.

#### Compiled packages {#compiled-packages}

The Apache Software Foundation produces open source software. All releases
are in the form of the source materials needed to make changes to the
are in the form of the source materials needed to modify and build the
software being released.

As a convenience to users that might not have the appropriate tools to build a
Expand All @@ -105,7 +105,7 @@ Policy](/legal/resolved).

Each package MUST provide a `LICENSE` file and a `NOTICE` file which account
for the package's exact content. `LICENSE` and `NOTICE` MUST NOT provide
unnecessary information about materials which are not bundled in the package,
information about materials which are not bundled in the package,
such as separately downloaded dependencies.

For source packages, `LICENSE` and `NOTICE` MUST be located at the root of the
Expand Down