Robert Burrell Donkin wrote on Thu, Jun 30, 2011 at 08:31:38 +0100: > On Tue, Jun 28, 2011 at 10:20 AM, Christian Grobmeier > <grobme...@gmail.com> wrote: > >>> we copy a KEYS file into that directory upon succesful VOTE of the release > >>> artifacts (which also include the KEYS file). > >> > >> Perhaps, but the point we're getting at was explicitly stated by Benson, > >> "The goal here is to allow and encourage consumers to independently verify > >> signatures. That calls for KEYS somewhere else than inside the package." > > > > I am sorry to ask it again, but why can't the incubator have a policy > > to make people use: > > https://id.apache.org/ > > to store their signing key. > > > > Then we have them listed for each projects there: > > https://people.apache.org/keys/ > > > > Was it not meant that way? > > AIUI this infrastructure is relative new and intended to add defense-in-depth >
Yes, it's new, and yes, it isn't meant to replaced PGP trust paths. What it does behind the scenes is 'gpg --recv-key keyid > committer.asc' and publish the result over https, where the key id (or fingerprint) is provided by the committer (authenticating with their svn password). > IMHO the IPMC should only document (any volunteers?) a strong > recommendation but leave policy in this area to the experts over in > infrastructure > > Robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
