httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: cvs commit: httpd-dist KEYS
Date Tue, 18 Feb 2003 17:36:37 GMT
--On Tuesday, February 18, 2003 1:25 AM -0600 "William A. Rowe, Jr." 
<> wrote:

> Justin, could you *please* find a better way to say what you were
> (rightly) trying to convey about the keys file, below?

I welcome constructive comments, but we should indicate how we want 
people to verify our KEYS.  We need a statement to this effect.

> It's a little absurd to try to have folks chasing us down for sigs
> at home. Don't we all get enough oddball private inquiries?

The original suggestion was to put a phone number on the contributors 
web page where we could be reached.  I feel direct email is a more 
appropriate forum.  Sending an email to the developers list 
(dev@httpd) isn't appropriate because the KEYS file serves for the 
entire project (which consists of many subprojects that can release 
on their own - flood, mod_python, etc.).

We could create keys@httpd and people willing to verify keys could 
subscribe there.  (I'd almost suggest using security@httpd.)

> A much more rational approach would be a resource of 'HTTPD
> developer meets', a web page where we could *announce* our presence
> and the opportunity for the users to come to us?  (A.C.,
> LinuxWorld, et al?)

Expecting our users to be at conferences is a bit much.  It's hard 
enough to get httpd developers to attend ApacheCon never mind other 

> As an RM to one who hasn't RM'ed, you are a bit out of line putting
> this on each and every RM.  I do get very infrequent requests to
> verify my key, and have the means to do so.  It doesn't belong in
> the KEYS file to put ideas in their heads, however, or I will have
> to quit doing so even for the  ultra paranoid, educated users who
> deserve the courtesy ;-)

*ahem*  I have RMed, thank-ya-very-much.

I only said to contact the RM after failing to contact a person in 
your area.  I think it's reasonable, but perhaps a specific 
verification mailing list would ease your troubled mind?  -- justin

View raw message