On Mon, Oct 13, 2014 at 2:05 PM, Marvin Humphrey <mar...@rectangular.com> wrote:
> > Even if the key is part of a web trust it may not be part of everyone's > web > > of trust. I'd see that as a hard requirement to meet. > > The last time this came up, Daniel Shahaf suggested an excellent solution: > > http://s.apache.org/U57 > > No one said that a release need have only one signature... > > 1) RM prepares tarball, signs, uploads for voting > 2) voting passes > 3) mentor appends his signature to the .asc file > 4) artifacts posted to dist/ > > That solves the problem for end users until the RM attends a keysigning > party. Duh. Excellent solution.
