incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <>
Subject Re: Request for graduation
Date Wed, 21 Jan 2004 20:56:56 GMT
On 21 Jan 2004, at 10:41, Jochen Wiedmann wrote:


> * The developers PGP keys aren't part of any web of trust. Mainly an
>   issue of physical separation between the developers.

interesting requirement, this one.

IIRC at the last count i was the biggest offender at apache for this 
(in terms of isolated releases: releases that i've signed with a 
signature that is isolated).

IIRC the consensus is that only face-to-face meetings are really the 
only method good enough to establish trust but i don't think i've ever 
knowingly met another apache committer face-to-face. i'm not really 
sure how (at the moment) the incubator expects the incubatees to meet 
this requirement (at least before apache gets that key manager up and 

maybe what would be enough is that all developers have openPGP 
compatible keys with public keys uploaded to public servers with 
fingerprints public available from the ASF infrastructure (maybe on a 
public ASF web page). of course, this last bit might be a bad plan 
since some might say the ASF would be vouching for the authenticity of 
the fingerprints...

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message