ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: pgp key for signing files
Date Tue, 06 Jun 2006 09:51:44 GMT
Kev Jackson wrote:
> 
> On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:
> 
>> On Mon, 05 Jun 2006, Antoine Levy-Lambert <antoine@gmx.de> wrote:
>>
>>> How to publish your key to a key server I do not remember. I think I
>>> uploaded my public key to a key server, but do not remember off hand
>>> how it is called.
>>
>> I prefer http://pgpkeys.mit.edu/ but there are tons of alternatives.
>>
> 
> I was going to use this option as it was mentioned on the Apache FAQ re 
> signing, and I read elsewhere (perhaps GPG home page?) about it too - it 
> seems to be a well established key server.
> 
>> Another thing is that it would be good to have signatures on your
>> key.  Kev, do you live close enough to anybody of the Ant or any other
>> Apache community to get you key properly signed (most people will
>> require some sort of photo-id in a face-to-face meeting in order to
>> sign your key - thouzgh there may be alternatives).
>>
> 
> Well I'm currently in Vietnam, so I guess that no I'm not near enough to 
> anyone (most here seem to be European folks, with 1 or 2 USians) 

Makes for round the clock support. We've had a good australian 
participation in the past, although Conor is the only person from there 
currently active, I believe.

> to have 
> a face-to-face to prove my id!  I may have a business trip to Taiwan at 
> some point in the next few weeks - but not before the end of the world cup.
> 
> I've never done this whole pgp thing before, and reading the gpg home 
> page makes it seem partly simple (gen keys) and partly extremely 
> complicated (signing).  Fortunately OSX seems to come with gpg 
> installed, unfortunately it's the complicated signing part that I've 
> still not fully understood (I get it conceptually, but I think the 
> explanation ont'web is confusing me more than anything).
> 
> Thanks
> Kev

Its an interesting trust problem. You effectively already have some 
credentials we implicitly trust (login rights to the cvs server & 
minotaur, presumably including SSH private keys). Perhaps we can 
bootstrap off that. It doesnt matter that you are who you say you are, 
only that the entity who is committing stuff to the repository is the 
same person who has the PGP key.

I also have an employer issued x500 key, so I can demonstrate that I am 
the person that hp thinks I am, or at least I have their smartcard. We 
can use those to bootstrap trust too. After all, who trusts a paper 
driving license without a photo on it (like my uk one)

-steve


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message