incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Holeczek <flor...@holeczek.de>
Subject Re: key signing
Date Fri, 05 Oct 2012 15:44:23 GMT
Daniel Shahaf wrote on 05.10.2012 at 15:15:
> Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400:
>> Alternatively, since the chain is CLA -> svn access -> unsigned key in
>> svn, perhaps all we really need is to document that a signature
>> corresponding to a key in svn is really good enough, and users need
>> not be concerned further.
>>
> 
> Downloading keys from https://www.apache.org/dist/ or
> https://people.apache.org/keys/ is good enough enough for users who
> trust root@ and Thawte.

A few days ago, I've been learning from a mail on this list, that it was OK to participate
in the Apache community using only a pseudonym.
The question is, how far is this going? May releases be signed with keys belonging to a pseudonym?
PGP/GPG's concept in general is that keys contain their owner's real name. If releases may
be signed under pseudonyms, then, if I understood the Apache pseudonym rules right, the only
one who would be able to sign such a key was secretary@, since it's the only one who knows
the pseudonym's real identity.

Regards
 Florian

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message