René's URL Explorer Experiment


Title: Release PGP key strategy and policy · Issue #709 · nodejs/node · GitHub

Open Graph Title: Release PGP key strategy and policy · Issue #709 · nodejs/node

X Title: Release PGP key strategy and policy · Issue #709 · nodejs/node

Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see git tag -v v1.0.4 or any other release tag...

Open Graph Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi...

X Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi...

Mail addresses
releng@iojs.org

Opengraph URL: https://github.com/nodejs/node/issues/709

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Release PGP key strategy and policy","articleBody":"Continuation of #681 but specifically on the topic of PGP keys for signing releases.\n\nContext: release builds come from a git tag of the form `vx.y.z` which is signed by an authorized releaser (see `git tag -v v1.0.4` or any other release tag) with their personal PGP key. Release builds available on iojs.org have a have a SHASUMS256.txt file generated for all downloadable assets (minus the docs/ directory). This file is also signed with the same key that signed the git tag for that release and the signed file is made available as SHASUMS256.txt.asc. An ASCII armoured version of their public key is also made available as SHASUMS256.txt.gpg for convenience.\n\nThe procedure I put in place in #681 for releases says that:\n- releasers should list their full key fingerprint on the README (mine is there now); and\n- the keys should also be submitted to https://sks-keyservers.net/ - the README also now contains instructions for how you can verify a download which includes this keyserver. See [#verifying-binaries](https://github.com/iojs/io.js#verifying-binaries)\n\nQuestions for discussion:\n\n@bnoordhuis asked if we could \n\n\u003e use a single master key with as many sub-keys as there are release managers? It would make all releases be signed by \"io.js Release Engineering releng@iojs.org\" (or whatever we decide to call ourselves) and it makes revocation a little easier. Master key management is an open issue, though; who gets to own it?\"\n\nMy response is that I don't feel strongly about this but:\n\n\u003e My personal bias is towards decentralising this and making individuals responsible for signing their releases with their own keys, simply because I think decentralisation in most aspects of the project are more healthy for the community focus and ethos that we're trying to foster. It also makes that individual properly responsible for that release rather than it just being a mechanical task.\n\n@chrisdickinson had trouble submitting to sks-keyservers.net and @indutny suggested https://pgp.mit.edu/ might be a better alternative\n\nMy response is:\n\n\u003e The only reason I chose sks-keyservers.net was because the only precedent I'm aware of for checking signed shasums is in the Docker images for both Node (official Docker ones) and io.js and that's what they've chosen to use. I don't know the reasoning behind this but I went with that as an established convention.\n\nBoth of these points need discussion, I'm labelling this as tc-agenda but please don't take that as a sign that this is only for the TC to discuss. Opinions welcome from those with expertise on this matter.\n","author":{"url":"https://github.com/rvagg","@type":"Person","name":"rvagg"},"datePublished":"2015-02-03T22:15:05.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/709/node/issues/709"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:f26dd107-8dcb-7c6b-e93f-2ca8ad554ca1
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idE2AA:1C7367:D5AE78:1381706:6A4E2CD2
html-safe-nonceaf7f57c2e626db92d6b08bdf6a7aa2cc07ff321e9d36e9d2b2bd29340d6c1d7c
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFMkFBOjFDNzM2NzpENUFFNzg6MTM4MTcwNjo2QTRFMkNEMiIsInZpc2l0b3JfaWQiOiI1MDIzMDY1ODE3NTQ3MTU2NjkwIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0=
visitor-hmacb1591f9d43ba68acd8c801b69060156d08f3704a282012e313aae73f07349f66
hovercard-subject-tagissue:56446218
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/709/issue_layout
twitter:imagehttps://opengraph.githubassets.com/484d2bfc840ab38428e099d4d86338cc8caf1b8aebadf26e376ec4380887f4d9/nodejs/node/issues/709
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/484d2bfc840ab38428e099d4d86338cc8caf1b8aebadf26e376ec4380887f4d9/nodejs/node/issues/709
og:image:altContinuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamervagg
hostnamegithub.com
expected-hostnamegithub.com
None030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0
turbo-cache-controlno-preview
go-importgithub.com/nodejs/node git https://github.com/nodejs/node.git
octolytics-dimension-user_id9950313
octolytics-dimension-user_loginnodejs
octolytics-dimension-repository_id27193779
octolytics-dimension-repository_nwonodejs/node
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id27193779
octolytics-dimension-repository_network_root_nwonodejs/node
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
released9dd20d38f8ae3c4cb6b597807431db300d0bd2a
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/nodejs/node/issues/709#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F709
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F709
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=nodejs%2Fnode
Reloadhttps://github.com/nodejs/node/issues/709
Reloadhttps://github.com/nodejs/node/issues/709
Reloadhttps://github.com/nodejs/node/issues/709
Please reload this pagehttps://github.com/nodejs/node/issues/709
nodejs https://github.com/nodejs
nodehttps://github.com/nodejs/node
Please reload this pagehttps://github.com/nodejs/node/issues/709
Notifications https://github.com/login?return_to=%2Fnodejs%2Fnode
Fork 36k https://github.com/login?return_to=%2Fnodejs%2Fnode
Star 118k https://github.com/login?return_to=%2Fnodejs%2Fnode
Code https://github.com/nodejs/node
Issues 1.3k https://github.com/nodejs/node/issues
Pull requests 964 https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality 0 https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Code https://github.com/nodejs/node
Issues https://github.com/nodejs/node/issues
Pull requests https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Release PGP key strategy and policyhttps://github.com/nodejs/node/issues/709#top
metaIssues and PRs related to the general management of the project.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22meta%22
https://github.com/rvagg
rvagghttps://github.com/rvagg
on Feb 3, 2015https://github.com/nodejs/node/issues/709#issue-56446218
#681https://github.com/nodejs/node/pull/681
#681https://github.com/nodejs/node/pull/681
https://sks-keyservers.net/https://sks-keyservers.net/
#verifying-binarieshttps://github.com/iojs/io.js#verifying-binaries
@bnoordhuishttps://github.com/bnoordhuis
@chrisdickinsonhttps://github.com/chrisdickinson
@indutnyhttps://github.com/indutny
https://pgp.mit.edu/https://pgp.mit.edu/
metaIssues and PRs related to the general management of the project.https://github.com/nodejs/node/issues?q=state%3Aopen%20label%3A%22meta%22
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.