xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Leung" <twle...@sauria.com>
Subject Re: PMC Work Items
Date Fri, 28 Feb 2003 07:40:54 GMT
Sorry if I was unclear.  I think that we should coordinate with
infrastructure@ and give input to how this
should work ASF wide.

Ted
----- Original Message -----
From: <berin@ozemail.com.au>
To: <general@xml.apache.org>
Sent: Thursday, February 27, 2003 5:32 PM
Subject: Re: PMC Work Items


> G'day Shane,
>
> > Shane Curcuru wrote
>
> > Let's make sure we keep this focused on the basics.  I don't think we
have
> > the need or resources to setup our own PGP keyserver; there are plenty
> > already out there (http://pgpkeys.mit.edu/ seems popular with
> > Apacheites).  Plus I think infrastructure@ and others are already
working
> > on secure ways to get KEYS files directly from an ASF machine securely,
> > which will solve the trusted distribution of keys problem.
> >
>
> So exactly what is the aim of the game here?
> Happy to agree that a keyserver may be over the
> top, but a mechanism that conveys an Apache
> keyring to end users of Apache software would
> surely have to be a good thing?  If we are serious
> about secure software distribution (and I think
> we are, given we are taking the trouble to sign
> the releases in the first place), then surely we
> should also be serious about how we extend that
> security into user-land.
>
> I'd also be interested in what you mean by "a secure
> ways to get KEYS files directly from an ASF
> machine"?  Surely a key is either in the web of
> trust (whatever that means to us) or not.  The
> fact is resides on an ASF machine doesn't
> necessarily mean that we should put a high degree
> of trust in it.
>
> BTW - That's not in any way having a
> go at the security of ASF machines.  That's simply
> saying that you are basing the trust you place on
> a cryptographic key on the security of a
> password.  Seems a bit contradictory?
>
> Or have I read the whole thing wrong :>.
>
> > One thing we do need is more prominently published how-tos for using PGP
> > (or GPG, or older or newer versions of PGP, all of which are different)
> > both for signing and verifying.  There are a number of snippets on
various
> > download pages, and a couple of sites on the web with descriptions, but
> > it'd be nice to have more details specifically for both committers and
users.
>
> Absolutely agree!  I'd also say the how-to should
> extend to a minimum set of requirements we would
> like to see in place before a key is signed.
>
> Cheers,
>     Berin
>
>
> This message was sent through MyMail http://www.mymail.com.au
>
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail:     webmaster@xml.apache.org
> To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>


---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message