--- Torsten Curdt <[EMAIL PROTECTED]> wrote:
> > How would that work logistically? I publish RC
> > artifacts, and once they're voted on, you sign the
> > same artifacts that presumably you personally
> > reviewed? Doesn't that necessarily force us -not-
> to
> > use the full mvn process?
>
> Indeed - that's would mean not using the gpg maven
> plugin
>
> >> Let's get him signed :)
> >
> > I have seen mentioned the idea of getting a
> signing
> > done without a F2F.
>
> Why? Where are you located? Antarctica? ;-)
Might as well be... TN, USA. Don't know of any other
committers in the area.
>
> > If anyone has ideas on how to
> > make this secure, I'm all ears. Otherwise, how
> many
> > signatures are needed? Or does it just depend on
> how
> > strongly trusted (how many signatures IT has) a
> given
> > signature is?
>
> I'd think a signature from just a few apache folks
> would do.
>
There are a couple of committers within a few hours of
me, I know, if I needed to get my key signed; however
given your "I'll shut up" comment later on this thread
I suppose I won't worry about it either for now. :)
Maybe next year's Apachecon US won't be in the murder
capital of the nation (I hate ATL too, which is why I
didn't make last year's).
-Matt
> cheers
> --
> Torsten
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
