httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: cvs commit: httpd-dist KEYS
Date Tue, 18 Feb 2003 07:25:32 GMT
Justin, could you *please* find a better way to say what you were (rightly)
trying to convey about the keys file, below?

It's a little absurd to try to have folks chasing us down for sigs at home.
Don't we all get enough oddball private inquiries?

A much more rational approach would be a resource of 'HTTPD developer
meets', a web page where we could *announce* our presence and the
opportunity for the users to come to us?  (A.C., LinuxWorld, et al?)

As an RM to one who hasn't RM'ed, you are a bit out of line putting this
on each and every RM.  I do get very infrequent requests to verify my key,
and have the means to do so.  It doesn't belong in the KEYS file to put
ideas in their heads, however, or I will have to quit doing so even for the 
ultra paranoid, educated users who deserve the courtesy ;-)

Bill

At 01:38 PM 2/17/2003, jerenkrantz@apache.org wrote
>jerenkrantz    2003/02/17 11:38:57
>
>  Modified:    .        KEYS
>  Log:
>  Oh, wordsmith away.  We don't bite, but let's not tell anyone that.
>  
>  Revision  Changes    Path
>  1.34      +24 -2     httpd-dist/KEYS
>  
>  Index: KEYS
>  +Please realize that this file itself or the public key servers may be
>  +compromised.  You are encouraged to validate the authenticity of these keys in
>  +an out-of-band manner.  A good start would be face-to-face communication with
>  +multiple photo identification confirmations.  Each contributor has their
>  +location information available at http://httpd.apache.org/contributors/.
>  +
>  +Since the developers are usually quite busy, you may not immediately find
>  +success in someone who is willing to meet face-to-face (they may not even
>  +respond to your emails because they are so busy!).  If you do not have a
>  +developer nearby or have trouble locating a suitable person, please send an
>  +email to the release manager of the release you are attempting to verify.  They
>  +may be able to find someone who will be willing to verify their key in a less
>  +secure manner (over the phone perhaps).






Mime
View raw message