Now I have a practical problem. I've received email from a committer on a project. I have met him in person -- some years ago. I helped him get started at Apache. His fellow PMC members are telling him that it's *necessary* for him to come up with one or more signatures on his key to act at an RM.
Choices: 1) send email to him and his PMC fellows, referencing this thread, as evidence that key signing is nice but optional. 2) go ahead and sign his key based on simple email. I'm a very bad paranoid; I'm not interested in the idea that some person out there is anxious to undermine Apache and has captured one or both or our gmail accounts, or is acting as an MITM. I have plenty of writing-style evidence that this email address disgorges communications from him. 3) Engage in some more or less baroque protocol involving skype or carrier pigeons. Anyone care to try to tell me what to do? My views are colored by my, and his, complete disinterest in the WoT outside of its use at Apache, and my conviction that I do, indeed, know that this key is under the control of a particular person who signed a CLA and got voted in as a committer of a particular project. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
