httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: cvs commit: httpd-dist KEYS
Date Tue, 18 Feb 2003 18:06:26 GMT
At 11:36 AM 2/18/2003, Justin Erenkrantz wrote:
>--On Tuesday, February 18, 2003 1:25 AM -0600 "William A. Rowe, Jr." <>
>>It's a little absurd to try to have folks chasing us down for sigs
>>at home. Don't we all get enough oddball private inquiries?
>The original suggestion was to put a phone number on the contributors web page where we
could be reached.  I feel direct email is a more appropriate forum.  Sending an email to the
developers list (dev@httpd) isn't appropriate because the KEYS file serves for the entire
project (which consists of many subprojects that can release on their own - flood, mod_python,

I agree that was overkill.  However, why put anything on the contributors
web page?  I believe that information exists right there, in the KEYS file,
as to who signed a given release, with our email address (we only use
still-valid email accounts when signing, right?)

>We could create keys@httpd and people willing to verify keys could subscribe there.  (I'd
almost suggest using security@httpd.)

The incidence on httpd isn't high enough.  Maybe in Jakartaland this
is a bigger issue.  I've responded to the 10 or so requests I've ever received.

>>A much more rational approach would be a resource of 'HTTPD
>>developer meets', a web page where we could *announce* our presence
>>and the opportunity for the users to come to us?  (A.C.,
>>LinuxWorld, et al?)
>Expecting our users to be at conferences is a bit much.  It's hard enough to get httpd
developers to attend ApacheCon never mind other conferences.

Hey - we did say nothing beats face-to-face with government issued
photo ID (preferably two forms), right?  The bigger point in such a paragraph
is that the user need not be there, they need to encourage high-visibility
individuals who attend such conferences, "hey, would you countersign keys
with someone within the ASF so I can trust their signatures?"

It's a web of trust.

>*ahem*  I have RMed, thank-ya-very-much.

I'm sorry, yes - that's right.  Now how many inquiries did you receive
(remembering they had your email addy within your KEYS entry that
you signed that release with)?

Mountains out of molehills?

>I only said to contact the RM after failing to contact a person in your area.  I think
it's reasonable, but perhaps a specific verification mailing list would ease your troubled

I think the current method, "Hmmm... I don't trust this signature, I better
email that individual and inquire how to validate their key" (provided they
get a response) seems to work just fine today.


View raw message