incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: KEYS and releases
Date Thu, 30 Jun 2011 12:47:12 GMT
Robert Burrell Donkin wrote on Thu, Jun 30, 2011 at 08:31:38 +0100:
> On Tue, Jun 28, 2011 at 10:20 AM, Christian Grobmeier
> <grobmeier@gmail.com> wrote:
> >>> we copy a KEYS file into that directory upon succesful VOTE of the release
> >>> artifacts (which also include the KEYS file).
> >>
> >> Perhaps, but the point we're getting at was explicitly stated by Benson,
> >> "The goal here is to allow and encourage consumers to independently verify
> >> signatures.  That calls for KEYS somewhere else than inside the package."
> >
> > I am sorry to ask it again, but why can't the incubator have a policy
> > to make people use:
> > https://id.apache.org/
> > to store their signing key.
> >
> > Then we have them listed for each projects there:
> > https://people.apache.org/keys/
> >
> > Was it not meant that way?
> 
> AIUI  this infrastructure is relative new and intended to add defense-in-depth
> 

Yes, it's new, and yes, it isn't meant to replaced PGP trust paths.

What it does behind the scenes is 'gpg --recv-key keyid > committer.asc'
and publish the result over https, where the key id (or fingerprint) is
provided by the committer (authenticating with their svn password).

> IMHO the IPMC should only document (any volunteers?) a strong
> recommendation but leave policy in this area to the experts over in
> infrastructure
> 
> Robert
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message