2008/9/15 William A. Rowe, Jr. <[EMAIL PROTECTED]>: > Brett Porter wrote: >> >> For the releases to be identified as from the incubator, they'll need to >> be >> signed solely by "the incubator". Did you want to elaborate on how you >> anticipated that set up working? > > With PGP it's a web of trust. Any ASF-role key would never be used to sign > any artifact. Ideally, ASF-key would sign incubator key, incubator key > would sign Jane's key, Jane would RM and sign with her own key, and the web > of trust satisfies the trust requirement. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
That would requires a complete isolated web of trust for the incubator release. If the incubating web of trust is trusted by someone that I trust, then I would trust the incubating artefact without realising that this artefact comes from the incubator. I thought the objectif was to force the user to agree that he understandd he is using an incubating artefact. I have the impression that I missunderstand something here. But what? -- Gilles Scokart --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
