incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: key signing
Date Mon, 15 Oct 2012 15:11:16 GMT
On Mon, Oct 15, 2012 at 5:46 AM, Benson Margulies <bimargulies@gmail.com> wrote:
> Now I have a practical problem. I've received email from a committer
> on a project. I have met him in person -- some years ago. I helped him
> get started at Apache. His fellow PMC members are telling him that
> it's *necessary* for him to come up with one or more signatures on his
> key to act at an RM.
>
> Choices:
>
> 1) send email to him and his PMC fellows, referencing this thread, as
> evidence that key signing is nice but optional.

In my opinion, the best thing to do would be to forward links to Daniel
Shahaf's post describing the multiple-signer workflow and the relevant section
of Subversion's release policy documentation.

    http://s.apache.org/NG2 (link to mail-archives.apache.org)
    https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing

That technique seems far-and-away the most appropriate answer for Apache
projects.

> 2) go ahead and sign his key based on simple email. I'm a very bad
> paranoid; I'm not interested in the idea that some person out there is
> anxious to undermine Apache and has captured one or both or our gmail
> accounts, or is acting as an MITM. I have plenty of writing-style
> evidence that this email address disgorges communications from him.
>
> 3) Engage in some more or less baroque protocol involving skype or
> carrier pigeons.

The advantage of adopting an existing protocol (a la
<http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html>) is
that individuals don't have to roll their own -- they can just follow the
recipe.  The virtual protocol discussed earlier in this thread never got
beyond the proposal stage before it was rendered obsolete by Daniel's
suggestion.

If you don't want to spend mindspace on this topic, I'd suggest adopting the
policy of "I only sign keys at key-signing parties."  Or eventually, if the ASF
develops a formal policy, adopt that.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message