Apache OpenOffice (AOO) Bugzilla – Issue 123134
Missing keys for Linux builds in dist/openoffice/KEYS
Last modified: 2016-04-07 16:03:27 UTC
As reported here http://markmail.org/message/o2ri35uh4g4vbhji the keys file on http://www.apache.org/dist/openoffice/KEYS only has jsc key (win and mac builds). It would be better to follow subversion project, that links to the keys on people.apache.org: http://subversion.apache.org/download/#verifying
I agree and I changed the link to the KEY file and use now the one from the people.apache.org server https://people.apache.org/keys/group/openoffice.asc
"marcus" committed SVN revision 1518809 #123134# Updated link
"marcus" committed SVN revision 1518810 #123134# Updated link
I've changed the link also on the download webpages.
(In reply to Marcus from comment #4) > I've changed the link also on the download webpages. The policy on KEYS files is to *not* use the group keys location. The KEYS file at dist/openoffice/KEYS should have only keys that have ever been used to sign releases and no such key should be removed. That is, the KEYS file at dist/openoffice/KEYS is cumulative. That is so an old release can still be checked. (To detect a revocation, the latest version is needed from a key server though.) The KEYS file at group/openoffice.asc will have keys removed when a committer removes that key from their profile or when the committer retires from Apache OpenOffice. See <https://people.apache.org/keys/> for details. It might not be necessary to do anything about the current dist/openoffice/KEYS, even if it now has more KEYS than have been used on releases made at Apache OpenOffice since incubation started.