THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The committers for the project need to provide public keys for the release, each person who submits a key needs to keep the private key safe. These will be included with the release in a KEYS file. The process of creating a key pair should be consistent across the committers. Apache recommend using GNU Privacy Guard to generate keys and sign the artifacts.
Committers without a code signing key should generate one - RSA 4096 bits
If committers have a DSA or RSA key of less than 2048 bits then a new one should be generated for signing releases, again using RSA 4096 bit.
For committers who already have an RSA key of 2048 bits or more some configuration of their client to avoid weaknesses are required. Instructions on how to do this can be found here.
Web of Trust (Post Release and ongoing)
Once individuals have generated keys, opportunities should be taken (where possible) to join the Apache Web of Trust. First the keys should be uploaded to a public key server (is there a recommended one we should use?). Next key signing: if conferences are attended or events where there are other Apache developers and there are key signing parties.
License Audit and Legal Audit
...