From: Javen O'Neal <onealj@apache.org>
Date: Wed, 9 Nov 2016 08:57:26 +0000 (+0000)
Subject: KEYS file should only have public keys used to sign previous releases
X-Git-Tag: REL_3_16_BETA1~10
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=d8e2b007e3a66363e9f67ab576bd37845a52c815;p=poi.git

KEYS file should only have public keys used to sign previous releases

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1768877 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/KEYS b/KEYS
index adc245d131..5926e7c288 100644
--- a/KEYS
+++ b/KEYS
@@ -9,6 +9,14 @@ Developers:
         (gpg --list-key <your email>
              && gpg --armor --export <your email>) >> this file.
 
+Since the KEYS may be needed to check signatures for archived
+releases, it is important that all keys that have ever been used
+to sign releases are retained in the file. Entries should only
+be added, not removed.
+To keep the KEYS file manageable, it's recommended to only add
+the keys of committers who have signed releases.
+https://www.apache.org/dev/release-signing#keys-policy
+https://people.apache.org/keys/
 
 
 pub  1024D/12DAE9BE 2004-01-25 Glen Stampoultzis <glens@apache.org>