I've just downloaded the 5.1.1 tarball onto a rather ancient machine which is, among other things, underpowered for PGP and takes forever to check trust. So having verified that the signature is good, I went to check trust paths using my favourite online tool (run by Apache man Henk Penning).
I was surprised and disappointed in the result: http://pgp.cs.uu.nl/mk_path.cgi?FROM=B87F79A9&TO=94D96DE2&PATHS=trust+paths That service seems not to find AMC's key on the keyserver and so cannot establish trust paths. I am able to establish trust to just two of Alan's signatures: Leif and Bryan. Whilst not a showstopper, this seems to me uncomfortably sparse information for verifying a release. Ideally it would be good if release signing keys were firmly in the Strong Set. Any folks going to ApacheCon or other such events, can I urge you to take part in keysignings and establish yourself firmly in the Web of Trust? -- Nick Kew
