incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: key signing
Date Wed, 10 Oct 2012 23:44:30 GMT
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:

No signed keys.

Consider: releases come from the ASF, not a person. The RM builds the
release artifacts and checks them into version control along with hash
"checksums". Other PMC members validate the artifacts for release criteria
and matching checksums, voting +1 via version control.

All of the above is done via authenticated ASF accounts. The above
establishes an ASF release.

Please explain how "keys" are needed for this ASF release? Consumers are
already told to verify the SHA1 and nothing more. I doubt any more is
needed.

(assume secure Infrastructure)

Cheers,
-g
On Oct 5, 2012 5:04 AM, "Benson Margulies" <bimargulies@gmail.com> wrote:

> I'm offering this discussion here, but it might need to go elsewhere
> if it goes anywhere at all.
>
> It seems to me that the there is a gap in the incubation process, and
> I don't know how to fill it.
>
> As far as I can see, we don't do anything to facilitate or encourage
> getting PGP keys signed. We tell people to create a key and put it in
> the SVN 'keys' file.
>
> Key signing strikes me as a bit of a conundrum for us. In all other
> respects, we emphasize that anyone, anywhere, in any time zone, can be
> a full member of a community. However, key signing requires something
> else. [1] Generally, it requires a face-to-face interaction.
>
> It is perhaps interesting to note that the foundation accepts CLAs as
> legally binding without any face-to-face identity verification. If you
> send in a CLA with a signature, we believe it, and we believe that the
> email address you provide is, in fact, controlled by the legal person
> who signed the form.
>
> I wonder, then, if secretary@ should be willing to sign a key.
> Alternatively, since the chain is CLA -> svn access -> unsigned key in
> svn, perhaps all we really need is to document that a signature
> corresponding to a key in svn is really good enough, and users need
> not be concerned further.
>
>
>
> [1]: http://httpd.apache.org/dev/verification.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message