commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rahul Akolkar" <>
Subject Re: [all] releases
Date Tue, 22 Apr 2008 18:07:26 GMT
On 4/21/08, Torsten Curdt <> wrote:
> On Apr 21, 2008, at 19:29, Rahul Akolkar wrote:
> > On 4/21/08, Matt Benson <> wrote:
> >
> > > Remind me... where do we stand on having released
> > > signed by a key without a web of trust?--I've never
> > > made it to any key-signing events.  :(
> > >
> > >
> > <snip/>
> >
> > It isn't a problem.
> >
>  It isn't?

Risks are mitigated to an arguably acceptable level by wrappering the
entire release process at Apache around the point to point secure
transport guarantee that signing is meant to provide.

I am generally hesitant to introduce any more overhead for folks to
step up to RM'ing releases than is strictly necessary, given that this
community needs a lot more of 'em.

>  Happy to do just the signing of the release.

The amount of security rigor applied that would cause an unsigned key
to be a blocking factor for signing releases would probably also
discount the above from being acceptable.

As one data point of the operational reality, there were several
artifacts released using my key which was unsigned for years until a
little over a week ago.

Finally, from reading Matt's email at the top of the thread I did get
the sense that he was keen on getting his key signed, so I didn't
stress that any further.


>  ...if I can get my gpg to work properly again (...currently struggling with
> gpg1 -> gpg2 migration *sigh*)
>  cheers
>  --
>  Torsten

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message