forrest-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <d...@brondsema.net>
Subject Re: PGP keys
Date Thu, 07 Oct 2004 02:26:58 GMT
David Crossley wrote:
> David Crossley wrote:
> 
>>Dave Brondsema wrote:
>>
>>>All we really need is the ascii-armored public key block.  The owner 
>>>email address and signer's email addresses are just for convenience. 
>>>I'd be fine with removing the list of signers since that is a lot to 
>>>scroll past.  We should keep the owners email address though.
>>
>>Okay, we should do that.
>>
>>
>>>Strictly speaking, we don't need the KEYS file at all.  If we create a 
>>>signature file with appended signatures from each of us, then running 
>>>verify will tell the user which keys were used.  If they don't have 
>>>those keys in their keyring they can download them from the keyserver.
>>
>>That sounds a lot smoother. We just need to document that
>>process on our download page and in docs. I suggest that
>>we retain the KEYS file for this release because we are too
>>close to our release date. For the next release we could do
>>as you suggest and follow up on Dirk's suggestion.
> 
> 
> However, i wonder how the web of trust pages are generated.
> Do they rely on the presence of the KEYS file?
> 
> http://www.apache.org/~henkp/trust/apache.html
> http://www.apache.org/~erikabele/tools/wot/wot.html
> 

Those could be modified to also look for the .asc signatures, I expect. 
  I never knew those existed, thanks for mentioning it.

-- 
Dave Brondsema : dave@brondsema.net
http://www.splike.com : programming
http://csx.calvin.edu : student org
http://www.brondsema.net : personal

Mime
View raw message