On 4/23/08, Torsten Curdt <[EMAIL PROTECTED]> wrote:
> > The amount of security rigor applied that would cause an unsigned key
> > to be a blocking factor for signing releases would probably also
> > discount the above from being acceptable.
> >
>
> Why is that? I cannot follow that argument
>
--- Torsten Curdt <[EMAIL PROTECTED]> wrote:
> > How would that work logistically? I publish RC
> > artifacts, and once they're voted on, you sign the
> > same artifacts that presumably you personally
> > reviewed? Doesn't that necessarily force us -not-
> to
> > use the full mvn process?
>
>
The signing key has to be in the KEYS file; the KEYS file is normally
in SVN which implies that the person who updated it has an ASF login.
Indeed ...forgot about that path. I'll shut up then :)
cheers
--
Torsten
-
To unsubscr
On Wed, 2008-04-23 at 09:30 +0100, sebb wrote:
> 2008/4/23 Torsten Curdt <[EMAIL PROTECTED]>:
> >
> > > Risks are mitigated to an arguably acceptable level by wrappering the
> > > entire release process at Apache around the point to point secure
> > > transport guarantee that signing is meant to p
2008/4/23 Torsten Curdt <[EMAIL PROTECTED]>:
>
> > Risks are mitigated to an arguably acceptable level by wrappering the
> > entire release process at Apache around the point to point secure
> > transport guarantee that signing is meant to provide.
> >
>
> That holds only true if you don't use mir
How would that work logistically? I publish RC
artifacts, and once they're voted on, you sign the
same artifacts that presumably you personally
reviewed? Doesn't that necessarily force us -not- to
use the full mvn process?
Indeed - that's would mean not using the gpg maven plugin
Let's get h
--- Torsten Curdt <[EMAIL PROTECTED]> wrote:
> > Risks are mitigated to an arguably acceptable
> level by wrappering the
> > entire release process at Apache around the point
> to point secure
> > transport guarantee that signing is meant to
> provide.
>
> That holds only true if you don't use m
Torsten Curdt schrieb:
>> Risks are mitigated to an arguably acceptable level by wrappering the
>> entire release process at Apache around the point to point secure
>> transport guarantee that signing is meant to provide.
>
> That holds only true if you don't use mirrors and people get the
> releas
Risks are mitigated to an arguably acceptable level by wrappering the
entire release process at Apache around the point to point secure
transport guarantee that signing is meant to provide.
That holds only true if you don't use mirrors and people get the
releases directly from us.
I am gene
On 4/21/08, Torsten Curdt <[EMAIL PROTECTED]> wrote:
> On Apr 21, 2008, at 19:29, Rahul Akolkar wrote:
>
> > On 4/21/08, Matt Benson <[EMAIL PROTECTED]> wrote:
> >
> > > Remind me... where do we stand on having released
> > > signed by a key without a web of trust?--I've never
> > > made it to any
--- Rahul Akolkar <[EMAIL PROTECTED]> wrote:
> On 4/21/08, Matt Benson <[EMAIL PROTECTED]>
> wrote:
> > Remind me... where do we stand on having released
> > signed by a key without a web of trust?--I've
> never
> > made it to any key-signing events. :(
> >
>
>
> It isn't a problem.
Thanks.
On Apr 21, 2008, at 19:29, Rahul Akolkar wrote:
On 4/21/08, Matt Benson <[EMAIL PROTECTED]> wrote:
Remind me... where do we stand on having released
signed by a key without a web of trust?--I've never
made it to any key-signing events. :(
It isn't a problem.
It isn't?
Happy to do just th
On 4/21/08, Matt Benson <[EMAIL PROTECTED]> wrote:
> Remind me... where do we stand on having released
> signed by a key without a web of trust?--I've never
> made it to any key-signing events. :(
>
It isn't a problem.
-Rahul
--
Remind me... where do we stand on having released
signed by a key without a web of trust?--I've never
made it to any key-signing events. :(
Thanks,
Matt
Be a better friend, newshound, and
know-it-all wi
14 matches
Mail list logo
