xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane Curcuru <shane_curc...@yahoo.com>
Subject Re: PMC Work Items
Date Thu, 27 Feb 2003 20:08:20 GMT
A couple of comments out to general@; I'm presuming that all PMC members 
read general somewhat regularly...  Two quick notes on mirrors and PGP:

 > ---- Ted Leung wrote: ----
 > As promised, here's a list of work items for the PMC
 > ...
 > o Encourage projects to start using the ASF mirroriing guidelines
This is important; as Ted mentioned, to the ASF itself as well as to the 
projects.  We need an early adopter to spearhead the effort to both get 
their project migrated properly, and then to make sure the existing 
'how-to' pages that infrastructure@ and the jakarta folks have already 
setup are clear enough for everyone to follow.  (Don't forget us Windoz 
folks as well!) -sc

 > ---- Ted Leung wrote: ----
 > o Encourage PGP signing of releases and improvement of the PGP web of
 > trust
 > ---- <berin@ozemail.com.au> wrote: ----
>An interesting area.  We can do all sorts of things to improve useage of
>PGP (provide deb keyring, PGP keyserver for Apache keys etc.), but the
>process of linking a key to a user would need to be better performed for
>it to be truly useful.  Or is the feeling that just having CVS commit is
>enough to validate a key?
>The ideal (thinking aloud) might be to have people put a PGP fingerprint
>on their CLA - that way in the event of password compromise etc. we have
>a linkage of a key back to a signed form to indicate we are talking to
>who we think we are.
>Creating a key-server also allows users of software to go to a "trusted"
>source to validate a signing key for a distribution should they so desire.

Let's make sure we keep this focused on the basics.  I don't think we have 
the need or resources to setup our own PGP keyserver; there are plenty 
already out there (http://pgpkeys.mit.edu/ seems popular with 
Apacheites).  Plus I think infrastructure@ and others are already working 
on secure ways to get KEYS files directly from an ASF machine securely, 
which will solve the trusted distribution of keys problem.

And currently, we effectively only have individual webs-of-trust between 
people with PGP keys who are committers.  Not optimal, but the easiest 
thing to do to start with.  Essentially, we're providing users with 
individual signatures that show the build they get was created by 
such-and-such PGP keyowner, who presumably is also a committer.  It's 
currently up to the user to verify that they're comfortable enough to use 
the software then.

Unfortunately xml and jakarta folks don't seem to be as well-cross-signed 
with the httpd etc. crowd yet.  I tried to get some keysigning done at the 
last ApacheCon, but I'm sure I missed people.  I'd urge xml folks to 
volunteer to sign each other's keys if you've met any other xml (or 
jakarta, etc) folks personally.  The bigger and more connected the 
web-of-trust, the more useful it typically is.

One thing we do need is more prominently published how-tos for using PGP 
(or GPG, or older or newer versions of PGP, all of which are different) 
both for signing and verifying.  There are a number of snippets on various 
download pages, and a couple of sites on the web with descriptions, but 
it'd be nice to have more details specifically for both committers and users.

- Shane  

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message