www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <flame...@gmail.com>
Subject Re: Summary
Date Thu, 02 Mar 2006 10:44:01 GMT
On 3/1/06, Henk P. Penning <henkp@cs.uu.nl> wrote:
> On Wed, 1 Mar 2006, Noel J. Bergman wrote:
>
> > Date: Wed, 1 Mar 2006 18:19:36 -0500
> > From: Noel J. Bergman <noel@devtech.com>
> > To: repository@apache.org
> > Subject: RE: Summary
> >
> > > * jars must be: md5'd, sha1'd, pgp (.asc'd).
> >
> > Justification?  I only do PGP, nor do I see any need for anything else.
>
>   Fine, great. Much better to concentrate on one mechanism,
>   and strive for perfection. I'm pushing this agenda:
>
>   -- every committer must have a pgp key in ~user/.pgpkey
>   -- every release manager must be in the (apache) strong set
>
>   Every new committer should be asked for a pgp key ;
>   new-user script checks if the pubkey is on the keyservers ;
>   puts user pubkey in ~user/.pgpkey ; emails initial password
>   pgp encrypted to new user.

The irritating part with this agenda is that PGP is hugely the most
painful part of doing a release - and it locks out people who haven't
joined the clique of 'who-has-signed-who'. I'm still building up the
energy to figure out how to move my PGP key from minotaur to somewhere
off minotaur (after being told not to use minotaur) - partly due to
effort involved in grokking all this, but mostly due to not having
anywhere I trust more than minotaur.

It bemuses me that PGP has been such a pain to me, but it is the
single most reason why I've not done a release in the last couple of
years.

I understand and accept the reasoning though. We can't have a single
PGP key for Apache as that would be too juicy a target to attack
(right?), we can't trust SVN credentials as they are too easy to break
(especially as they're plain text on the client), Asylum isn't
available yet and might not be any easier than the PGP stuff anyway.

As to the pain of needing three types of authentication on files (md5,
sha1, pgp) - I agree. Anything we can do to make the technical aspect
of releasing simpler is good.

Hen

Mime
View raw message