incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: key signing
Date Mon, 08 Oct 2012 21:37:04 GMT
On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater <nslater@tumbolia.org> wrote:
> On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <bimargulies@gmail.com>wrote:
>
>>
>> There's another side to this, which I would derisively label, 'so
>> what'? How does it help a user to see that my key is signed by 27 of
>> my fellow Apache contributors, if the user has never met any of us,
>> and has never met anyone who has met any of us, etc, etc. In other
>> words, the Web of Trust only helps users (very much) if they are
>> active participants, and likely to have trust links that reach ASF
>> release managers.
>>
>> In my opinion, that's vanishingly unlikely, and so the best we can do
>> is to allow users to verify that the signature was, in fact, made by
>> the 'Apache hat' that it claimed to be made by. Using the keys in
>> KEYS, or the fingerprints from LDAP, seems the best they can do.
>>
>
> To me, this seems like an outright dismissal of the web of trust because it
> is "unlikely." Which it is sure to be if everyone dismisses it. You're
> right in so much as not a lot of people care. But for the people that do
> care, it is very important, and works just great. (Note, I am not one of
> those people, though I am "in" the web of trust having been involved in
> Debian, which takes it very seriously.) If you are the sort of person who
> has a GPG key and get's it signed, then the chances are that you can
> establish trust with an RM that does the same.

I've been watching PGP from its birth, and I've seen very little
evidence of the web of trust growing from geeks like us to the sort of
people who download and install Tomcat. If you can offer some
counterevidence, I'm all eyes.

My personal enthusiasm is for all Apache projects to share a clear
recipe for their users to verify downloads. That recipe should work
for *every user* and *every release manager*.


>
> --
> NS

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message