xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Lautenbach <be...@ozemail.com.au>
Subject Re: PMC Work Items
Date Sat, 01 Mar 2003 08:48:24 GMT
robert burrell donkin wrote:

> IMHO the main practical issue is that apache committers are on five 
> continents. i've never met any other committers in person. getting all 
> release managers together in a room where everyone can sign everyone 
> else'
> s (code signing) key is never going to happen.


At the risk of dragging this out...

I agree, but is it necessarily that complicated?  I think the issue for 
PGP/GPG keys in this case is not one of identity but one of authority. 
 Nobody really cares which Berin Lautenbach I am (I am sure there are 
others in the world :>).  However they do care that the archive I have 
signed is an authorised Apache distribution.  Thus the idea in the 
original e-mail that maybe the contributors agreement could have a PGP 
fingerprint attached, which would link me back to the legal agreement I 
have signed with Apache.  Then if my key is signed and placed in the 
"Apache keyring" it is done so under the banner of the legal entity 
called Apache Software Foundation, rather than as an acknowledgement 
that someone has seen my passport.

Not necessarily any need for me to have met anyone, and *very* simply to 
implement, as most of the processes already exist.  (Mind you, would 
still be nice to authenticate identity as well.)

That to me makes more sense, because trust, in the Apache community, is 
on the basis of my history of actions as a developer, not on the basis 
of my identity.

Cheers,
    Berin



---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message