incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <...@shanecurcuru.org>
Subject Re: key signing - trust path check
Date Wed, 10 Oct 2012 13:43:09 GMT
Anyone interested in details of PGP signing and tracing trust paths at 
the ASF should say thank you to long-time member henkp who has done a 
ton of work documenting and verifying release signing and keys:

   https://people.apache.org/~henkp/trust/

- Shane

On 10/8/2012 6:37 PM, Noah Slater wrote:
> Found one... Just poking around manually...
>
> J. Daniel Kulp <dkulp@apache.org>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x858FC4C4F43856A3
>
> Signed by Carsten Ziegeler <cziegeler@apache.org>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x132E49D4E41EDC7E
>
> Signed by Marcus Crafter <crafterm@debian.org>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x394D2FE3C4C57B42
>
> And all Debian folk are connected, as per my pervious email. :)
>
> There should be a tool for this!
>
> On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies <bimargulies@gmail.com>wrote:
>
>> Let's try a little statistically-invalid experiment of sample size
>> one. The last time I had a key signed at Apache, it was by Dan Kulp.
>> Now, pretend that you are a suspicious user of one of the many Maven
>> plugins releases that I RM. Can you reach Dan from yourself in the
>> web? Is there anyone you, personally, trust who starts a chain that
>> leads to him?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message