incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: status of PGP support in Maven
Date Mon, 15 Sep 2008 14:40:53 GMT
Brett Porter wrote:
> For the releases to be identified as from the incubator, they'll need to be
> signed solely by "the incubator". Did you want to elaborate on how you
> anticipated that set up working?

With PGP it's a web of trust.  Any ASF-role key would never be used to sign
any artifact.  Ideally, ASF-key would sign incubator key, incubator key
would sign Jane's key, Jane would RM and sign with her own key, and the web
of trust satisfies the trust requirement.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message