2008/4/23 Torsten Curdt <[EMAIL PROTECTED]>: > > > Risks are mitigated to an arguably acceptable level by wrappering the > > entire release process at Apache around the point to point secure > > transport guarantee that signing is meant to provide. > > > > That holds only true if you don't use mirrors and people get the releases > directly from us. > >
Surely only the KEYS (and digests) need to be obtained from us? > > > I am generally hesitant to introduce any more overhead for folks to > > step up to RM'ing releases than is strictly necessary, given that this > > community needs a lot more of 'em. > > > > I agree ...but as said. I am happy to step up and just do the signing if > that really is the bottleneck. > > > > > The amount of security rigor applied that would cause an unsigned key > > to be a blocking factor for signing releases would probably also > > discount the above from being acceptable. > > > > Why is that? I cannot follow that argument > > > > > As one data point of the operational reality, there were several > > artifacts released using my key which was unsigned for years until a > > little over a week ago. > > > > Not good. But now that your key is signed it retroactively validates the > releases. Actually with all the release nitpicking we do I am surprised this > hasn't been brought up - or got ignored ;) > The signing key has to be in the KEYS file; the KEYS file is normally in SVN which implies that the person who updated it has an ASF login. > Frankly speaking I think the signing is the least blocking part in our > release process. We have enough PMC members that have a cross signed key. > > > > > Finally, from reading Matt's email at the top of the thread I did get > > the sense that he was keen on getting his key signed, so I didn't > > stress that any further. > > > > Let's get him signed :) > > > > cheers > -- > Torsten > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
