couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randall Leeds <>
Subject Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Fri, 30 Mar 2012 22:56:29 GMT
On Fri, Mar 30, 2012 at 15:41, Randall Leeds <> wrote:
> On Fri, Mar 30, 2012 at 15:15, Randall Leeds <> wrote:
>> On Fri, Mar 30, 2012 at 06:30, Noah Slater <> wrote:
>>> My key is signed by:
>>> 85E0E79A 2011-10-19  Randall Leeds <>
>> not dangerously or recklessly so. You are mostly likely correct that I
>> should not have signed your key, but I hope you agree with my
>> assessment of the situation and can offer some insight as to what,
>> exactly, I gain by meeting you in person.
> I'm wondering if I can answer my own question here. I have a feeling
> it has to do with legal liability for releasing software on behalf of
> the ASF. In that case, having some confidence that you not only own
> your email addresses but also your face and person who is also a legal
> citizen that can be held accountable for misbehaving seems prudent.
> Basically, I'm rejecting the notion that PGP demands we meet in person
> in order to trust each other's identities, but admitting that perhaps
> the needs of the ASF demand that I not trust you to sign code unless I
> verify that you are a legal person that can be held accountable for
> misdeeds.
> My crime, then, was against the ASF, not the web of trust at large. Perhaps?
> I'll see about revoking just that signature, if it's possible.

I've published a revocation. I'll note that I noticed I had signed it
with trust level 'unknown'. If my understanding is correct, that means
I asserted only the validity but said nothing of the trustworthiness.
If that's the case, I think I may not have done anything wrong at all!
Strange that no one pointed out this distinction to me in the past.
All of the keys I've signed are signed this way.

View raw message