On 13 October 2014 17:11, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I suggest that the release manager and anyone else in the KEYS file should > have added key fingerprints to their Apache profiles at > <https://id.apache.org/>. > > This will have their PGP keys refreshed regularly under their Apache ID at > <https://people.apache.org/keys/committer/>. > > With regard to an identifiable association of the key, presence in this > manner connects the PGP key to The Apache ID by demonstration of control > over the committer's Apache profile.
Similar traceability applies if the user adds their key to the KEYS file in SVN at https://dist.apache.org/repos/dist/release/<TLP>/[path/]KEYS [This file is required for providing the keys to downloaders] But no harm in adding the key to LDAP as well. > One can go farther by adding the user...@apache.org to an User-ID on the key. > Verifying that one has control over that e-mail address (and all User-IDs) > Is done by registering the public key at the PGP Global Directory service at > <https://keyserver2.pgp.com/vkd/GetWelcomeScreen.event> and completing the > ceremony specified there. After the ceremony is completed, you can retrieve > your counter-signed PGP key from that service and synchronize it to a public > PGP key server. The ASF will pick it up on a future refresh. > > Use of the key from the Apache ID list has certain valuable properties. It is > not fixed, as in the key files in the project and in distributions. That > means > any additional (web-of-trust) certifications of the keys association with a > committer are updated automatically. That includes any revocations. > The keys from the ASF ID list also have disadvantages. Keys are used to sign artifacts for projects, and need to remain available whilst the artifact remains available. That includes archived artifacts. > > -- Dennis E. Hamilton > dennis.hamil...@acm.org +1-206-779-9430 > https://keybase.io/orcmid PGP F96E 89FF D456 628A > X.509 certs used and requested for signed e-mail > > > > -----Original Message----- > From: Justin Mclean [mailto:jus...@classsoftware.com] > Sent: Sunday, October 12, 2014 22:29 > To: general@incubator.apache.org > Subject: Re: [VOTE] Release Apache Calcite 0.9.1 (incubating) > > Hi, > >> First, the signing key is present in SVN, but has not been uploaded to the >> standard key-servers, nor has it been signed by anyone. > > I found it here: > https://pgp.mit.edu/pks/lookup?search=Julian+Hyde&op=index > > Even if the key is part of a web trust it may not be part of everyone's web > of trust. I'd see that as a hard requirement to meet. > > Thanks, > Justin > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
