hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: Please get your gpg keys signed!
Date Fri, 25 Jun 2010 16:36:38 GMT
Thomas, are you attending the summit? There are a number of contributor 
workshops the day after, all at (or around) the same location. If you 
feel strongly about this consider attending them, seems like great 
opportunity for a "key signing party".

Here's some detail on WOT at apache:


On 06/25/2010 02:29 AM, Thomas Koch wrote:
> Hi,
> I just wanted to package the new HBase version and since I've just recently
> read about a malicious software tarball for some Linux IRC server[1], I got
> back to the habbit of checking signatures. (Yes, I was lazy recently. I'm
> ashamed.)
> But checking the signatures of apache software obviously is meaningless, since
> apache developers appears to not have their keys in the web-of-trust. From
> three signature files I had laying around on my hard disc, all three keys had
> zero signatures on the MIT keyserver:
> 30CD0996 2010-05-03 Michael Stack<stack@duboce.net>
> 68E327C1 2008-10-22 Patrick Hunt<phunt@apache.org>
> FE045966 2009-10-13 Grant Ingersoll<gsingers@apache.org>
> So please, when you've your next Hadoop / HBase / Lucene / Apache meetings,
> take your time for a keysigning party[2]. Or just have some snippet with your
> keys fingerprint in your wallet and hand it to every other geek you meet. (And
> make sure he asks you for your ID card to check your identity!) It's also nice
> to have your gpg fingerprint on your business cards!
> [1] http://www.sophos.com/blogs/chetw/g/2010/06/12/linux-malware-rears-ugly-
> head/
> [2] http://en.wikipedia.org/wiki/Key_signing_party
> Thank you!
> Thomas Koch, http://www.koch.ro

View raw message