Anyone interested in details of PGP signing and tracing trust paths at
the ASF should say thank you to long-time member henkp who has done a
ton of work documenting and verifying release signing and keys:
https://people.apache.org/~henkp/trust/
- Shane
On 10/8/2012 6:37 PM, Noah Slater wrote:
Found one... Just poking around manually...
J. Daniel Kulp <[email protected]>
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x858FC4C4F43856A3
Signed by Carsten Ziegeler <[email protected]>
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x132E49D4E41EDC7E
Signed by Marcus Crafter <[email protected]>
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x394D2FE3C4C57B42
And all Debian folk are connected, as per my pervious email. :)
There should be a tool for this!
On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies <[email protected]>wrote:
Let's try a little statistically-invalid experiment of sample size
one. The last time I had a key signed at Apache, it was by Dan Kulp.
Now, pretend that you are a suspicious user of one of the many Maven
plugins releases that I RM. Can you reach Dan from yourself in the
web? Is there anyone you, personally, trust who starts a chain that
leads to him?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
