Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 22351 invoked by uid 500); 18 Feb 2003 07:27:03 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 22317 invoked by uid 500); 18 Feb 2003 07:27:02 -0000 Delivered-To: apmail-httpd-dist-cvs@apache.org Errors-To: Message-Id: <5.2.0.9.2.20030218012036.02ca1c88@pop3.rowe-clan.net> X-Sender: wrowe%rowe-clan.net@pop3.rowe-clan.net X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 18 Feb 2003 01:25:32 -0600 To: dev@httpd.apache.org From: "William A. Rowe, Jr." Subject: Re: cvs commit: httpd-dist KEYS Cc: httpd-dist-cvs@apache.org In-Reply-To: <20030217193857.89422.qmail@icarus.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Justin, could you *please* find a better way to say what you were (rightly) trying to convey about the keys file, below? It's a little absurd to try to have folks chasing us down for sigs at home. Don't we all get enough oddball private inquiries? A much more rational approach would be a resource of 'HTTPD developer meets', a web page where we could *announce* our presence and the opportunity for the users to come to us? (A.C., LinuxWorld, et al?) As an RM to one who hasn't RM'ed, you are a bit out of line putting this on each and every RM. I do get very infrequent requests to verify my key, and have the means to do so. It doesn't belong in the KEYS file to put ideas in their heads, however, or I will have to quit doing so even for the ultra paranoid, educated users who deserve the courtesy ;-) Bill At 01:38 PM 2/17/2003, jerenkrantz@apache.org wrote >jerenkrantz 2003/02/17 11:38:57 > > Modified: . KEYS > Log: > Oh, wordsmith away. We don't bite, but let's not tell anyone that. > > Revision Changes Path > 1.34 +24 -2 httpd-dist/KEYS > > Index: KEYS > +Please realize that this file itself or the public key servers may be > +compromised. You are encouraged to validate the authenticity of these keys in > +an out-of-band manner. A good start would be face-to-face communication with > +multiple photo identification confirmations. Each contributor has their > +location information available at http://httpd.apache.org/contributors/. > + > +Since the developers are usually quite busy, you may not immediately find > +success in someone who is willing to meet face-to-face (they may not even > +respond to your emails because they are so busy!). If you do not have a > +developer nearby or have trouble locating a suitable person, please send an > +email to the release manager of the release you are attempting to verify. They > +may be able to find someone who will be willing to verify their key in a less > +secure manner (over the phone perhaps).