incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Holeczek <>
Subject Re: key signing
Date Fri, 05 Oct 2012 15:44:23 GMT
Daniel Shahaf wrote on 05.10.2012 at 15:15:
> Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400:
>> Alternatively, since the chain is CLA -> svn access -> unsigned key in
>> svn, perhaps all we really need is to document that a signature
>> corresponding to a key in svn is really good enough, and users need
>> not be concerned further.
> Downloading keys from or
> is good enough enough for users who
> trust root@ and Thawte.

A few days ago, I've been learning from a mail on this list, that it was OK to participate
in the Apache community using only a pseudonym.
The question is, how far is this going? May releases be signed with keys belonging to a pseudonym?
PGP/GPG's concept in general is that keys contain their owner's real name. If releases may
be signed under pseudonyms, then, if I understood the Apache pseudonym rules right, the only
one who would be able to sign such a key was secretary@, since it's the only one who knows
the pseudonym's real identity.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message