commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Curdt <>
Subject Re: [all] releases
Date Wed, 23 Apr 2008 08:20:58 GMT
> Risks are mitigated to an arguably acceptable level by wrappering the
> entire release process at Apache around the point to point secure
> transport guarantee that signing is meant to provide.

That holds only true if you don't use mirrors and people get the  
releases directly from us.

> I am generally hesitant to introduce any more overhead for folks to
> step up to RM'ing releases than is strictly necessary, given that this
> community needs a lot more of 'em.

I agree ...but as said. I am happy to step up and just do the signing  
if that really is the bottleneck.

> The amount of security rigor applied that would cause an unsigned key
> to be a blocking factor for signing releases would probably also
> discount the above from being acceptable.

Why is that? I cannot follow that argument

> As one data point of the operational reality, there were several
> artifacts released using my key which was unsigned for years until a
> little over a week ago.

Not good. But now that your key is signed it retroactively validates  
the releases. Actually with all the release nitpicking we do I am  
surprised this hasn't been brought up - or got ignored ;)

Frankly speaking I think the signing is the least blocking part in our  
release process. We have enough PMC members that have a cross signed  

> Finally, from reading Matt's email at the top of the thread I did get
> the sense that he was keen on getting his key signed, so I didn't
> stress that any further.

Let's get him signed :)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message