From general-return-37840-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org  Thu Oct 11 01:40:45 2012
Return-Path: <general-return-37840-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-general-archive@www.apache.org
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 01C18D479
	for <apmail-incubator-general-archive@www.apache.org>; Thu, 11 Oct 2012 01:40:45 +0000 (UTC)
Received: (qmail 41613 invoked by uid 500); 11 Oct 2012 01:40:44 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 41381 invoked by uid 500); 11 Oct 2012 01:40:44 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 41361 invoked by uid 99); 11 Oct 2012 01:40:44 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 01:40:44 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of gstein@gmail.com designates 209.85.219.47 as permitted sender)
Received: from [209.85.219.47] (HELO mail-oa0-f47.google.com) (209.85.219.47)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 01:40:38 +0000
Received: by mail-oa0-f47.google.com with SMTP id h1so1252655oag.6
        for <general@incubator.apache.org>; Wed, 10 Oct 2012 18:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=3WB2ME6PVmWO1I1KBRQr2Y2RuwXIQnJnXuZVk/3SkpY=;
        b=NxxfWs054KUPx6+4JkhZNlXM+xiMEeYaq7WfDRDCWSNGYUBFmibVjyvhPZuthscaEQ
         uixHBS0kcfd6LbrgOu5di4AJBqI4Ysy3SOlyd7eC8nO5uoJ1uz1GpzAwhhpSXulwnJj8
         eyygISJJqYz9X/KRoBB1MPzQ1c4waBswCElvyhD4nN3b+AwGTLMHBtN1RWn/sZOlH11f
         gbz17qAm7A7Z6K9+VHvCneW7zy2+bt2+HvAoR6srdWEKJ4bsfIfHENmK2p6B6FGTDWl5
         Zwt35k+yssmITPmj6S2zSl7n5O+hcfaGtvk3QUz3fadmisRRHFhvBjVm8HOUdj70wSRP
         IWJA==
MIME-Version: 1.0
Received: by 10.60.14.198 with SMTP id r6mr19973083oec.115.1349919618188; Wed,
 10 Oct 2012 18:40:18 -0700 (PDT)
Received: by 10.60.58.42 with HTTP; Wed, 10 Oct 2012 18:40:18 -0700 (PDT)
In-Reply-To: <20121011013513.GD3349@lp-shahaf.local>
References: <CALhtWkesFMhkATDcpOVoSpeGZ0+W+u9wt+DiVbTp4MUDda2N3A@mail.gmail.com>
	<CABD8fLUO=13YqzVRWRGOQXpQ6nA8-u-rAr3zSZncy0J4r0HOmw@mail.gmail.com>
	<20121011011011.GC3349@lp-shahaf.local>
	<CABD8fLWinzbdoURqpty+hb9DMk8anx2Lckvk4ZZN8zG7DH6vtw@mail.gmail.com>
	<20121011013513.GD3349@lp-shahaf.local>
Date: Wed, 10 Oct 2012 21:40:18 -0400
Message-ID: <CABD8fLUcYV1PWgemD=mS+Jy6u1cxMwqRFxoN2YpHkb_GOD6wvQ@mail.gmail.com>
Subject: Re: key signing
From: Greg Stein <gstein@gmail.com>
To: Daniel Shahaf <d.s@daniel.shahaf.name>
Cc: general@incubator.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org

On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
>...
>> My point is that our instructions to users don't really incorporoate
>> the notions of "keys", and (thus) provide near-zero utility. For such
>
> So, provide better instructions?

That's the implication that I'm getting at... rip out all the key
stuff, and just talk about the SHA1 checksums.

>...
> One benefit I named in my next-to-last message: upon a new release,
> users who downloaded the previous release and its signature can verify
> that the new release was signed by the same entity that signed the
> previous release.  This binds releases to each another.
>
> Shane hinted at another: a person who signs a release using the same key
> he uses for day-to-day dev@ work links the release not to his legal
> identity but to his dev@ identity.  This binds releases to people doing
> dev work.
>
> SHA-1 checksums don't provide any binding whatsoever, other than
> "whoever generated the checksum was looking at the same file I am
> looking at".

I understand there is no binding. I'm only considering a binding
against the ASF. It is residing on our infrastructure, its checksum
matches, therefore it must be authentic.

Does the extra glue really matter? Do we really need to figure out key
signing parties? What are we truly getting out of this?

I look at the "glue" of the committer's identifier. I'm posting to
dev@ as gstein, and then I commit the tarball artifact as gstein.
Binding is now complete.

Cheers,
-g

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org