incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: key signing
Date Thu, 11 Oct 2012 01:10:12 GMT
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
> I've read this entire thread (whew!), and would actually like to throw out
> a contrary position:
> 
> No signed keys.
> 
> Consider: releases come from the ASF, not a person.

Therefore, releases should be signed by the ASF as an organisation, not
by individual persons.  Right?

> The RM builds the
> release artifacts and checks them into version control along with hash
> "checksums". Other PMC members validate the artifacts for release criteria
> and matching checksums, voting +1 via version control.
> 
> All of the above is done via authenticated ASF accounts. The above
> establishes an ASF release.
> 
> Please explain how "keys" are needed for this ASF release? Consumers are
> already told to verify the SHA1 and nothing more. I doubt any more is
> needed.
> 
> (assume secure Infrastructure)
> 
> Cheers,
> -g

Daniel
(infra hat off, devil's advocate hat on)

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message