On Wed, 2008-04-23 at 09:30 +0100, sebb wrote: > 2008/4/23 Torsten Curdt <[EMAIL PROTECTED]>: > > > > > Risks are mitigated to an arguably acceptable level by wrappering the > > > entire release process at Apache around the point to point secure > > > transport guarantee that signing is meant to provide. > > > > > > > That holds only true if you don't use mirrors and people get the releases > > directly from us. > > > > > > Surely only the KEYS (and digests) need to be obtained from us? > > > > > > I am generally hesitant to introduce any more overhead for folks to > > > step up to RM'ing releases than is strictly necessary, given that this > > > community needs a lot more of 'em. > > > > > > > I agree ...but as said. I am happy to step up and just do the signing if > > that really is the bottleneck. > > > > > > > > > The amount of security rigor applied that would cause an unsigned key > > > to be a blocking factor for signing releases would probably also > > > discount the above from being acceptable. > > > > > > > Why is that? I cannot follow that argument > > > > > > > > > As one data point of the operational reality, there were several > > > artifacts released using my key which was unsigned for years until a > > > little over a week ago. > > > > > > > Not good. But now that your key is signed it retroactively validates the > > releases. Actually with all the release nitpicking we do I am surprised this > > hasn't been brought up - or got ignored ;) > > > > The signing key has to be in the KEYS file; the KEYS file is normally > in SVN which implies that the person who updated it has an ASF login.
Yep. I'm still puzzled about what the fuss is about here... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
