httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jus...@erenkrantz.com>
Subject Re: cvs commit: httpd-dist KEYS
Date Tue, 18 Feb 2003 18:30:15 GMT
--On Tuesday, February 18, 2003 12:06 PM -0600 "William A. Rowe, Jr." 
<wrowe@rowe-clan.net> wrote:

> I agree that was overkill.  However, why put anything on the
> contributors web page?  I believe that information exists right
> there, in the KEYS file, as to who signed a given release, with our
> email address (we only use still-valid email accounts when signing,
> right?)

Because you may be able to contact someone face-to-face who is 
already in our web of trust rather than the person who signed the 
release.  It doesn't matter if you don't trust the RM directly - as 
long as you trust someone who trusts the RM.

In short, you don't need to contact the RM directly.  You can, but it 
may not be practical to do face-to-face verification with that person 
(so, you might resort to telephone verification).  But, we have a 
wide enough geographic dispersal where you may be able to find 
someone in your area who is willing to do a face-to-face meeting. 
(In fact, this would *lessen* the load of the RM rather than increase 
it!)

The reason why I'm concerned about this generally is that mod_python 
and flood are going to be issuing signed releases soon.  Granted 
their popularity isn't as high as httpd, but they are looking for 
policy here.  It's our obligation to set good verification policy. 
-- justin

Mime
View raw message