incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: status of PGP support in Maven
Date Mon, 15 Sep 2008 18:39:38 GMT

On Sep 15, 2008, at 4:40 PM, William A. Rowe, Jr. wrote:

> Brett Porter wrote:
>> For the releases to be identified as from the incubator, they'll  
>> need to be
>> signed solely by "the incubator". Did you want to elaborate on how  
>> you
>> anticipated that set up working?
> With PGP it's a web of trust.  Any ASF-role key would never be used  
> to sign
> any artifact.  Ideally, ASF-key would sign incubator key, incubator  
> key
> would sign Jane's key, Jane would RM and sign with her own key, and  
> the web
> of trust satisfies the trust requirement.

Though in general I'd be a bit more inclined towards a derivative of  
our PGP network into x509 land - and then a solid hierarchy through  
the PMC's from there (e.g. pgp signed +1's can be swapped for a x509  
signature - but with the 'recall once it has left the ranch which  
CRL';s give you).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message