incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rahul Akolkar" <rahul.akol...@gmail.com>
Subject Re: Some help with Lucene.Net release
Date Mon, 19 Mar 2007 07:32:38 GMT
On 3/18/07, Craig L Russell <Craig.Russell@sun.com> wrote:
> Hi George,
>
> I'm not in a position to either approve or veto your release, but
> without anyone in Apache signing your pgp key it looks bad.
>
<snip/>

Not really:

 * Even if the key is signed by an ASF committer, or two (or ten),
there is no guarantee that it becomes trustworthy for the user (one of
the main reasons for signing is that users can check authenticity of
downloads).

 * We need to look at key signing in the context of ASF releases. In
order to release, the RM usually posts the distributions in his/her ~,
calls a vote, it passes etc. I don't see how the claim that the files
placed at the respective ~ are untrustworthy because the key isn't
signed holds much water, since there would have to be additional
exploits to orchestrate this release process.

 * For some, it may not be easily possible to meet other ASF
committers. Since we don't require "physical verification" for
anything else, requiring it in order to qualify as a RM feels like a
disconnect.

We should work on the web of trust across the Apache community, and
use (and create) opportunities towards the cause. Having a signed key
is generally better, but not having a signed key does not, by itself,
make an ASF release bad. Its still good enough.

-Rahul


> You might try contacting the half-dozen Apache folks in Boston
> directly by email, or see if anyone on this incubator list is willing
> to sign your key. But signing is not usually done without physical
> verification that you actually are who you say you are. I know it's
> harsh, but trust has a price.
>
> Craig
>
> On Mar 18, 2007, at 4:08 PM, George Aroush wrote:
>
> > I don't know anyone in person on the Apache web and unfortunately,
> > I am not
> > attending ApacheCons to meet other folks.  So what are my options?
> > The
> > release is ready for a vote and yet I don't know how to make it
> > happen with
> > this issue outstanding!!
>
> Craig Russell
> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message