httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: cvs commit: httpd-dist KEYS
Date Tue, 18 Feb 2003 19:10:43 GMT
Ahhh... verification between project RMs of one another's tarballs?

Then don't plug this into KEYS and raise awareness (our workload)
to insurmountable levels.  Let's start a wiki^H^H^H^Hdoc page all about
release signatures and PGP.  Explain in a nutshell what is signed, why
it is signed and how trusting joe who trusts sam lets you validate that
sam's signed package is authentic.  KEYS doesn't need to get so dirty,
a simple href will do to the authoritative doc out on www.apache.org/.

And let the reader connect the dots... unless you find several people
under the President's infrastructure committee who will handle the
keys@apache.org mail and do the leg work/flying/faxing/phoning.

But clean this out of our local KEYS file and do all the magic by
reference, so that even stale KEYS checkouts point to the now-
authoritative document (that would also include revoked keys to
avoid, et. al. :-)

Bill

At 12:30 PM 2/18/2003, Justin Erenkrantz wrote:
>--On Tuesday, February 18, 2003 12:06 PM -0600 "William A. Rowe, Jr." <wrowe@rowe-clan.net>
wrote:
>
>>I agree that was overkill.  However, why put anything on the
>>contributors web page?  I believe that information exists right
>>there, in the KEYS file, as to who signed a given release, with our
>>email address (we only use still-valid email accounts when signing,
>>right?)
>
>Because you may be able to contact someone face-to-face who is already in our web of trust
rather than the person who signed the release.  It doesn't matter if you don't trust the RM
directly - as long as you trust someone who trusts the RM.
>
>In short, you don't need to contact the RM directly.  You can, but it may not be practical
to do face-to-face verification with that person (so, you might resort to telephone verification).
 But, we have a wide enough geographic dispersal where you may be able to find someone in
your area who is willing to do a face-to-face meeting. (In fact, this would *lessen* the load
of the RM rather than increase it!)
>
>The reason why I'm concerned about this generally is that mod_python and flood are going
to be issuing signed releases soon.  Granted their popularity isn't as high as httpd, but
they are looking for policy here.  It's our obligation to set good verification policy. --
justin



Mime
View raw message