On 3/18/07, Craig L Russell <[EMAIL PROTECTED]> wrote:
Hi George,
I'm not in a position to either approve or veto your release, but
without anyone in Apache signing your pgp key it looks bad.
<snip/>
Not really:
* Even if the key is signed by an ASF committer, or two (or ten),
there is no guarantee that it becomes trustworthy for the user (one of
the main reasons for signing is that users can check authenticity of
downloads).
* We need to look at key signing in the context of ASF releases. In
order to release, the RM usually posts the distributions in his/her ~,
calls a vote, it passes etc. I don't see how the claim that the files
placed at the respective ~ are untrustworthy because the key isn't
signed holds much water, since there would have to be additional
exploits to orchestrate this release process.
* For some, it may not be easily possible to meet other ASF
committers. Since we don't require "physical verification" for
anything else, requiring it in order to qualify as a RM feels like a
disconnect.
We should work on the web of trust across the Apache community, and
use (and create) opportunities towards the cause. Having a signed key
is generally better, but not having a signed key does not, by itself,
make an ASF release bad. Its still good enough.
-Rahul
You might try contacting the half-dozen Apache folks in Boston
directly by email, or see if anyone on this incubator list is willing
to sign your key. But signing is not usually done without physical
verification that you actually are who you say you are. I know it's
harsh, but trust has a price.
Craig
On Mar 18, 2007, at 4:08 PM, George Aroush wrote:
> I don't know anyone in person on the Apache web and unfortunately,
> I am not
> attending ApacheCons to meet other folks. So what are my options?
> The
> release is ready for a vote and yet I don't know how to make it
> happen with
> this issue outstanding!!
Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
