Title: Release PGP key strategy and policy · Issue #709 · nodejs/node · GitHub
Open Graph Title: Release PGP key strategy and policy · Issue #709 · nodejs/node
X Title: Release PGP key strategy and policy · Issue #709 · nodejs/node
Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see git tag -v v1.0.4 or any other release tag...
Open Graph Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi...
X Description: Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi...
Mail addresses
releng@iojs.org
Opengraph URL: https://github.com/nodejs/node/issues/709
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Release PGP key strategy and policy","articleBody":"Continuation of #681 but specifically on the topic of PGP keys for signing releases.\n\nContext: release builds come from a git tag of the form `vx.y.z` which is signed by an authorized releaser (see `git tag -v v1.0.4` or any other release tag) with their personal PGP key. Release builds available on iojs.org have a have a SHASUMS256.txt file generated for all downloadable assets (minus the docs/ directory). This file is also signed with the same key that signed the git tag for that release and the signed file is made available as SHASUMS256.txt.asc. An ASCII armoured version of their public key is also made available as SHASUMS256.txt.gpg for convenience.\n\nThe procedure I put in place in #681 for releases says that:\n- releasers should list their full key fingerprint on the README (mine is there now); and\n- the keys should also be submitted to https://sks-keyservers.net/ - the README also now contains instructions for how you can verify a download which includes this keyserver. See [#verifying-binaries](https://github.com/iojs/io.js#verifying-binaries)\n\nQuestions for discussion:\n\n@bnoordhuis asked if we could \n\n\u003e use a single master key with as many sub-keys as there are release managers? It would make all releases be signed by \"io.js Release Engineering releng@iojs.org\" (or whatever we decide to call ourselves) and it makes revocation a little easier. Master key management is an open issue, though; who gets to own it?\"\n\nMy response is that I don't feel strongly about this but:\n\n\u003e My personal bias is towards decentralising this and making individuals responsible for signing their releases with their own keys, simply because I think decentralisation in most aspects of the project are more healthy for the community focus and ethos that we're trying to foster. It also makes that individual properly responsible for that release rather than it just being a mechanical task.\n\n@chrisdickinson had trouble submitting to sks-keyservers.net and @indutny suggested https://pgp.mit.edu/ might be a better alternative\n\nMy response is:\n\n\u003e The only reason I chose sks-keyservers.net was because the only precedent I'm aware of for checking signed shasums is in the Docker images for both Node (official Docker ones) and io.js and that's what they've chosen to use. I don't know the reasoning behind this but I went with that as an established convention.\n\nBoth of these points need discussion, I'm labelling this as tc-agenda but please don't take that as a sign that this is only for the TC to discuss. Opinions welcome from those with expertise on this matter.\n","author":{"url":"https://github.com/rvagg","@type":"Person","name":"rvagg"},"datePublished":"2015-02-03T22:15:05.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/709/node/issues/709"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:f26dd107-8dcb-7c6b-e93f-2ca8ad554ca1 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | E2AA:1C7367:D5AE78:1381706:6A4E2CD2 |
| html-safe-nonce | af7f57c2e626db92d6b08bdf6a7aa2cc07ff321e9d36e9d2b2bd29340d6c1d7c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFMkFBOjFDNzM2NzpENUFFNzg6MTM4MTcwNjo2QTRFMkNEMiIsInZpc2l0b3JfaWQiOiI1MDIzMDY1ODE3NTQ3MTU2NjkwIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | b1591f9d43ba68acd8c801b69060156d08f3704a282012e313aae73f07349f66 |
| hovercard-subject-tag | issue:56446218 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/709/issue_layout |
| twitter:image | https://opengraph.githubassets.com/484d2bfc840ab38428e099d4d86338cc8caf1b8aebadf26e376ec4380887f4d9/nodejs/node/issues/709 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/484d2bfc840ab38428e099d4d86338cc8caf1b8aebadf26e376ec4380887f4d9/nodejs/node/issues/709 |
| og:image:alt | Continuation of #681 but specifically on the topic of PGP keys for signing releases. Context: release builds come from a git tag of the form vx.y.z which is signed by an authorized releaser (see gi... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | rvagg |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | d9dd20d38f8ae3c4cb6b597807431db300d0bd2a |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width