incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilles Scokart" <gscok...@gmail.com>
Subject Re: status of PGP support in Maven
Date Thu, 18 Sep 2008 06:49:59 GMT
2008/9/15 William A. Rowe, Jr. <wrowe@rowe-clan.net>:
> Brett Porter wrote:
>>
>> For the releases to be identified as from the incubator, they'll need to
>> be
>> signed solely by "the incubator". Did you want to elaborate on how you
>> anticipated that set up working?
>
> With PGP it's a web of trust.  Any ASF-role key would never be used to sign
> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
> would sign Jane's key, Jane would RM and sign with her own key, and the web
> of trust satisfies the trust requirement.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

That would requires a complete isolated web of trust for the incubator
release.  If the incubating web of trust is trusted by someone that I
trust, then I would trust the incubating artefact without realising
that this artefact comes from the incubator.
I thought the objectif was to force the user to agree that he
understandd he is using an incubating artefact.

I have the impression that I missunderstand something here.  But what?

-- 
Gilles Scokart

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message