Yeah I had meant to ask about that in the past. While I presume Patrick
consents to this and all that, it does mean that anyone with access to said
Jenkins scripts can create a signed Spark release, regardless of who they
are.

I haven't thought through whether that's a theoretical issue we can ignore
or something we need to fix up. For example you can't get a release on the
ASF mirrors without more authentication.

How hard would it be to make the script take in a key? it sort of looks
like the script already takes GPG_KEY, but don't know how to modify the
jobs. I suppose it would be ideal, in any event, for the actual release
manager to sign.

On Fri, Sep 15, 2017 at 8:28 PM Holden Karau <[EMAIL PROTECTED]> wrote: