incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 02:13:31 GMT
On Sunday 28 October 2007 23:15, Erik Abele wrote:
> As BenL always says: "I don't give a shit about some random document,  
> that could be faked anyway. All I care about is the email address  
> connected to the key I intend to sign - is it really the address of  
> the person in question?".

Ok, and if you don't know the individual in person, you put the trust in 
a "Driver's license" or similar... but doesn't really care how that 'trust' 
was established.
I must be plain dumb, but I don't "get" why this provides any comfort to 
end-users, even if they manage to figure out what to do with the .ASCs (I bet 
a very small percentage do).

And that is why I am asking for better tooling. 

> See also

Ok, it shows half the picture; How to sign the keys are left out...

> > as well as tooling support for verifications.

Uhhhh, we probably have more than a million users. Do we expect them all to 
get a hook into the WOT ?? IMHO, there is something wrong with that 

Couldn't a simple; where I put the ASC file (and 
the MD5 of download??) and get a "Authenticated" or not response be done?? If 
that is too hard to automate, I don't think we ever will see any increase in 
user awareness. The process on the above page is beyond most users' 


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message