incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Sun, 28 Oct 2007 20:56:04 GMT

Some background on the web of trust (wot) that ASF uses for signers  
of code releases is at

You correctly point out that the icla is a binding document in which  
the party signing the document grants certain intellectual property  
rights to the ASF. The signature on this document is not verified to  
be the signature of a real person. It could be anyone. But whoever  
signed the document and commits code under the name in the document  
is assumed to have the authority to do so.

The wot is a different thing. It grants no authority and has no  
inherent rights. The only thing it attempts to guarantee is that the  
real person who is in the wot is the person who is responsible for  
signing the releases.

The primary way the Apache wot is increased is at signing parties  
usually but not necessarily conducted during ApacheCons. A signing  
party can be held any time as long as there are two people who want  
to confirm each others' identity and add to the wot. At least one of  
the people at the signing party is already a member of the wot. If  
only one, then the wot created at the party is connected to the  
Apache wot via one or more "strands of trust" (I made that up).


On Oct 28, 2007, at 12:57 AM, Niclas Hedhman wrote:

> On Sunday 28 October 2007 06:24, Noel J. Bergman wrote:
>> Perhaps
>> we should add some information on getting into the Web of Trust,  
>> although
>> that is really a general committer item, not Incubator specific.
> I am not very security fluent, and perhaps someone could explain to  
> me;
> What is the difference of being an Apache committer/Member with the  
> *signed*
> ICLA, which indeed is a legal document, and that other ASF folks  
> has seen
> your driver's license (et al) and signed you into the web of trust?
> From my perspective, the latter is not legally binding and at the  
> most act as
> some form of "someone has identified it to be a real person with that
> name"...
> FWIW, I think ASF should increase the efforts in the ASF Web of  
> Trust, both
> getting more people engaged (like myself, I can't figure out the  
> practical
> details on how to go about it) as well as tooling support for  
> verifications.
> Cheers
> Niclas
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Craig Russell
Architect, Sun Java Enterprise System
408 276-5638
P.S. A good JDO? O, Gasp!

View raw message