incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: status of PGP support in Maven
Date Mon, 15 Sep 2008 19:59:17 GMT
On Mon, Sep 15, 2008 at 7:39 PM, Dirk-Willem van Gulik
<dirkx@webweaving.org> wrote:
>
> On Sep 15, 2008, at 4:40 PM, William A. Rowe, Jr. wrote:
>
>> Brett Porter wrote:
>>>
>>> For the releases to be identified as from the incubator, they'll need to
>>> be
>>> signed solely by "the incubator". Did you want to elaborate on how you
>>> anticipated that set up working?
>>
>> With PGP it's a web of trust.  Any ASF-role key would never be used to
>> sign
>> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
>> would sign Jane's key, Jane would RM and sign with her own key, and the
>> web
>> of trust satisfies the trust requirement.
>
> Though in general I'd be a bit more inclined towards a derivative of our PGP
> network into x509 land - and then a solid hierarchy through the PMC's from
> there (e.g. pgp signed +1's can be swapped for a x509 signature - but with
> the 'recall once it has left the ranch which CRL';s give you).

x509 is nasty but something similar can be achieved by signing meta-data

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message