incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: [VOTE] Release Apache Calcite 0.9.1 (incubating)
Date Mon, 13 Oct 2014 16:11:41 GMT
I suggest that the release manager and anyone else in the KEYS file should 
have added key fingerprints to their Apache profiles at <https://id.apache.org/>.

This will have their PGP keys refreshed regularly under their Apache ID at 
<https://people.apache.org/keys/committer/>.

With regard to an identifiable association of the key, presence in this 
manner connects the PGP key to The Apache ID by demonstration of control 
over the committer's Apache profile.

One can go farther by adding the user-id@apache.org to an User-ID on the key.
Verifying that one has control over that e-mail address (and all User-IDs)
Is done by registering the public key at the PGP Global Directory service at 
<https://keyserver2.pgp.com/vkd/GetWelcomeScreen.event> and completing the
ceremony specified there.  After the ceremony is completed, you can retrieve
your counter-signed PGP key from that service and synchronize it to a public
PGP key server.  The ASF will pick it up on a future refresh.

Use of the key from the Apache ID list has certain valuable properties.  It is
not fixed, as in the key files in the project and in distributions.  That means
any additional (web-of-trust) certifications of the keys association with a 
committer are updated automatically.  That includes any revocations.


 -- Dennis E. Hamilton
    dennis.hamilton@acm.org    +1-206-779-9430
    https://keybase.io/orcmid  PGP F96E 89FF D456 628A
    X.509 certs used and requested for signed e-mail



-----Original Message-----
From: Justin Mclean [mailto:justin@classsoftware.com] 
Sent: Sunday, October 12, 2014 22:29
To: general@incubator.apache.org
Subject: Re: [VOTE] Release Apache Calcite 0.9.1 (incubating)

Hi,

> First, the signing key is present in SVN, but has not been uploaded to the
> standard key-servers, nor has it been signed by anyone.

I found it here:
https://pgp.mit.edu/pks/lookup?search=Julian+Hyde&op=index

Even if the key is part of a web trust it may not be part of everyone's web of trust. I'd
see that as a hard requirement to meet.

Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message