httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Re: Fwd: 1.3.1 missing pgp signature
Date Mon, 27 Jul 1998 15:46:28 GMT

On Sat, 25 Jul 1998, Ben Laurie wrote:

> Dean Gaudet wrote:
> > 
> > I disagree.  Last time I signed a release we got a few dozen emails
> > indicating I'd done it wrong.  Apparently I wasn't supposed to use the
> > most recent pgp 5, or some crap like that.  Excuse me, but pgp sucks.
> > They don't interoperate between versions.  The key servers seem to change
> > address every couple of months, and there's no damn FAQ that says "here
> > are the 12 steps to working well with the rest of the world".
> > 
> > I wasted, and I do mean waste, a day trying to figure it out.  And I
> > couldn't.  I still can't interoperate with eudora's pgp plugin.  I still
> > don't know if my key is in the right key servers.  I don't know if my pine
> > pgp plugin is doing the right thing... the list goes on.
> It's interesting that everyone seems to have their own area of
> incompetence. But you do seem to be introducing several red herrings:
> firstly, key servers; they may have their failings, but so what?

When I signed one of the 1.3 betas I got several pieces of email asking
"why isn't your key in the key server?".  So, it's relevant.

> We
> don't need them, and they are fairly valueless when it comes to trust
> anwyay. Eudora and pine plugins? Fascinating, but irrelevant.

I think it's stupid not to sign the outgoing announcement. 

> All we
> need is that you can sign a binary, having verified that the binary is
> correct and that you can put your public key in the public key file.
> Yes, it'd be nice if you could also sign emails, put your key on key
> servers and so forth, but completely not needed to sign Apache tarballs.



View raw message