incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject key signing
Date Fri, 05 Oct 2012 12:04:04 GMT
I'm offering this discussion here, but it might need to go elsewhere
if it goes anywhere at all.

It seems to me that the there is a gap in the incubation process, and
I don't know how to fill it.

As far as I can see, we don't do anything to facilitate or encourage
getting PGP keys signed. We tell people to create a key and put it in
the SVN 'keys' file.

Key signing strikes me as a bit of a conundrum for us. In all other
respects, we emphasize that anyone, anywhere, in any time zone, can be
a full member of a community. However, key signing requires something
else. [1] Generally, it requires a face-to-face interaction.

It is perhaps interesting to note that the foundation accepts CLAs as
legally binding without any face-to-face identity verification. If you
send in a CLA with a signature, we believe it, and we believe that the
email address you provide is, in fact, controlled by the legal person
who signed the form.

I wonder, then, if secretary@ should be willing to sign a key.
Alternatively, since the chain is CLA -> svn access -> unsigned key in
svn, perhaps all we really need is to document that a signature
corresponding to a key in svn is really good enough, and users need
not be concerned further.



[1]: http://httpd.apache.org/dev/verification.html

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message