forrest-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Crossley <cross...@apache.org>
Subject Re: PGP keys
Date Thu, 07 Oct 2004 01:07:52 GMT
David Crossley wrote:
> Dave Brondsema wrote:
> > 
> > All we really need is the ascii-armored public key block.  The owner 
> > email address and signer's email addresses are just for convenience. 
> > I'd be fine with removing the list of signers since that is a lot to 
> > scroll past.  We should keep the owners email address though.
> 
> Okay, we should do that.
> 
> > Strictly speaking, we don't need the KEYS file at all.  If we create a 
> > signature file with appended signatures from each of us, then running 
> > verify will tell the user which keys were used.  If they don't have 
> > those keys in their keyring they can download them from the keyserver.
> 
> That sounds a lot smoother. We just need to document that
> process on our download page and in docs. I suggest that
> we retain the KEYS file for this release because we are too
> close to our release date. For the next release we could do
> as you suggest and follow up on Dirk's suggestion.

However, i wonder how the web of trust pages are generated.
Do they rely on the presence of the KEYS file?

http://www.apache.org/~henkp/trust/apache.html
http://www.apache.org/~erikabele/tools/wot/wot.html

-- 
David Crossley


Mime
View raw message