incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gwyn Evans" <gwyn.ev...@gmail.com>
Subject Re: Some help with Lucene.Net release
Date Sun, 18 Mar 2007 08:35:48 GMT
It's not so much someone else signing it, but rather having a way of
proving that a particular person owns a particular key.  Here, for
instance, how do we know that it's really you that owns the key?

See http://www.rubin.ch/pgp/weboftrust.en.html and
http://people.apache.org/~henkp/trust/ but it's basically done by
passing your key fingerprint to others who you meet face-to-face in a
situation where you're sure of their ID.  They get your key from
public keyservers, check the fingerprint and if they're happy, they
can then sign it and email the signed key to you, where upon you can
use it and it'll show up as signed by the other person...

(Of course, in practice, it's not that straight-forward, eh, Upayavira! :-))

The critical bit is getting the key fingerprint in a way where the
provider's identity can be verified...

/Gwyn

On 18/03/07, George Aroush <george@aroush.net> wrote:
> Thanks Bertrand!
>
> All: must the key be signed by someone other then me?  If so, can someone
> from ASF do so?
>
> Thanks.
>
> -- George
>
> -----Original Message-----
> From: bdelacretaz@gmail.com [mailto:bdelacretaz@gmail.com] On Behalf Of
> Bertrand Delacretaz
> Sent: Saturday, March 17, 2007 2:29 PM
> To: general@incubator.apache.org
> Subject: Re: Some help with Lucene.Net release
>
> On 3/17/07, George Aroush <george@aroush.net> wrote:
>
> >... I generated the MD5 and SHA file based on:
> > http://www.apache.org/dev/release-signing.html#md5 using the commands:
> >
> >   $ gpg --print-md MD5 [fileName] > [fileName].md5..
>
> I'll let others comment as to whether this is a usually accepted format. I
> have the impression that I've always seen keys in the md5 or md5sum format.
> i.e. what you'd get running:
>
>   md5sum [fileName] > [fileName].md5
>
> But I don't know if this is a requirement of the ASF.
>
> (the command is sometimes named md5, not md5sum, depending on your platform)
>
> > ...As for your comment about the ASC file, I'm not sure what you mean
> > by "your key hasn't been signed by anyone"?  Can you tell me how to
> > fix it if this is a problem?..
>
> People doing releases try to have their PGP keys signed by other ASF people,
> in order to build a web of trust, see
> http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
> for more info, or Henk's pages at
> http://people.apache.org/~henkp/trust/
>
> I don't think a key that is not signed by others is a problem w.r.t.
> doing releases, but if you can get it signed at some point it's better IMHO.
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>


-- 
Download Wicket 1.2.5 now! - http://wicketframework.org

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message