incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Grobmeier <grobme...@gmail.com>
Subject Re: KEYS and releases
Date Tue, 28 Jun 2011 09:16:43 GMT
>> Hence the need for people to download KEYS files from an *.apache.org
>> domain that we do control. Putting KEYS in a distribution might cause
>> people to use them instead of getting them from a trusted source, and
>> that's bad.
>
> The keys should be included in the web of trust, so it shouldn't
> matter from where a user gets the keys.
>
> Without the web of trust, the PGP signatures are just a rather
> elaborate version of the MD5 and SHA1 checksums we also provide.
>
> Of course, without being included in the web of trust, the best a user
> can do is to get at least one of the keys from a trusted source.

It should, but I don't know a single project (I don't know all of
course) were  it has been asked on a dev list:
"I have no trusted key. Is a trusted user out there who could please
sign my release artifacts?"

I would like to know how many signing keys are actually trusted which
have been used for our releases.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message