Bug 65570 - Shared KEYS files must contain keys for all relevant release
Summary: Shared KEYS files must contain keys for all relevant release
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Documentation (show other bugs)
Version: unspecified
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-14 10:55 UTC by Sebb
Modified: 2021-09-16 09:11 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebb 2021-09-14 10:55:36 UTC
The Wiki Release process page [1] says:

"svn checkout --depth immediates https://dist.apache.org/repos/dist/release/tomcat/tomcat-9/ 
and update the KEYS file there to be the same as the one used for release"

The KEYS file at that level is used for all 9.x releases, and must therefore contain the keys used for all the releases.

Once a key used for a release has been added to a KEYS file, it should never be removed. The process described above does not make that clear.

The process seems needlessly complicated.

Most other projects use a single KEYS file maintained at the project level:
https://dist.apache.org/repos/dist/release/tomcat/KEYS

When a new signing key is used for a release, add it to the file.
Job done.

N.B. this bug report also probably applies to the other Tomcat releases.

[1] https://cwiki.apache.org/confluence/display/TOMCAT/ReleaseProcess
Comment 1 Remy Maucherat 2021-09-14 11:41:00 UTC
The two keys that are in the KEYS for Tomcat 9.0 should be enough. Is there a build that was not signed by one of the two keys that are in there ?
Comment 2 Christopher Schultz 2021-09-14 15:07:22 UTC
(In reply to Sebb from comment #0)
> The KEYS file at that level is used for all 9.x releases, and must therefore
> contain the keys used for all the releases.
> 
> Once a key used for a release has been added to a KEYS file, it should never
> be removed. The process described above does not make that clear.

+1

> The process seems needlessly complicated.
> 
> Most other projects use a single KEYS file maintained at the project level:
> https://dist.apache.org/repos/dist/release/tomcat/KEYS

Take a look at the release history for Tomcat. There have been many release managers. We have decided to use separate release-based KEYS files to keep the files more manageable. For example, it's easier to see if a key is in the file when there aren't dozens of keys in it, especially if the same RM has used more than one key through the years.
Comment 3 Sebb 2021-09-14 16:59:12 UTC
In which case, why do the per-release KEYS files contain more entries than the per version KEYS files?

For example:

https://archive.apache.org/dist/tomcat/tomcat-9/KEYS is about 14K
whereas
https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.53/KEYS is 41K

It seems like the process is not being followed.

I have checked quite a few .asc files for the Tomcat 9 series, and it does look like all the keys used for signing are in the parent KEYS file.

However that is not the case for Tomcat-8
I found issues with versions 8.0.39 onwards.

I've not checked any other Tomcat major versions.
Comment 4 Sebb 2021-09-14 20:33:23 UTC
There are also issues with:

v5.5.36
v6.0.0-alpha
v6.0.0
Comment 5 Sebb 2021-09-14 20:42:49 UTC
AFAICT there are only about 15 keys that have been used to sign releases since version 5, so I don't understand the reluctance to use a single shared file.

I don't think it is safe to delete the existing files as they may be referenced in links, but it would be possible to use a single canonical file going forward.
Comment 6 Mark Thomas 2021-09-16 09:11:37 UTC
You don't have to understand the project's decision to use per release branch KEYS files. The project has made the decision and it is clear from the comments on this issue and the archives that that is a decision that the Tomcat project community is happy with.

KEYS files in current branches have been aligned with the per version KEYS files.

violetagg's key has been added to the per version keys for 8.x

remm's old DSA key has been added to the per version keys for 6.x

markt's key has been added to the per version keys for 5.x