KEYS file should only have public keys used to sign previous releases

author Javen O'Neal <onealj@apache.org>

Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)

committer Javen O'Neal <onealj@apache.org>

Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)
author Javen O'Neal <onealj@apache.org>
Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)
committer Javen O'Neal <onealj@apache.org>
Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)
diff --git a/KEYS b/KEYS

index adc245d13118a21c759c89a2c4fa45f63427cb16..5926e7c288f34d8a1e5ad197f551606c31a1be06 100644 (file)
--- a/KEYS
+++ b/KEYS
@@ -9,6 +9,14 @@ Developers:
          (gpg --list-key <your email>
               && gpg --armor --export <your email>) >> this file.
  
+Since the KEYS may be needed to check signatures for archived
+releases, it is important that all keys that have ever been used
+to sign releases are retained in the file. Entries should only
+be added, not removed.
+To keep the KEYS file manageable, it's recommended to only add
+the keys of committers who have signed releases.
+https://www.apache.org/dev/release-signing#keys-policy
+https://people.apache.org/keys/
  
  
  pub  1024D/12DAE9BE 2004-01-25 Glen Stampoultzis <glens@apache.org>
author	Javen O'Neal <onealj@apache.org>
	Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)
committer	Javen O'Neal <onealj@apache.org>
	Wed, 9 Nov 2016 08:57:26 +0000 (08:57 +0000)