incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <>
Subject Re: Key signing for shindig packages.
Date Sat, 03 Oct 2009 08:43:44 GMT
On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner <> wrote:
> Hi,
> Over in the shindig podling we've been working on our 1.1 release. During
> the voting process it was mentioned that my gpg key is not part of the
> apache web of trust.
> * We have the +1s for shindig-1.1-BETA3, does this signature problem
> disqualify the release?

IMHO, No it doesn't. What you should ensure is that the key used for
the signing is both committed to the SVN, uploaded to (and
other if possible) and that the finger print is published on the
official website.

> * I'd appreciate any/all help getting my gpg key signed by the proper people
> so we can get a release out asap -- this 1.1 release has been a long time
> coming.  Once we get over this hurdle we feel we'll be close to graduating.

Cross-signing of keys should happen in person, where identity can be
ensured. If there are people you know really well, a phone call where
the other part can recognize your voice, preferably being the one
calling you up on a well-known phone number, to transfer the
fingerprint info...

Niclas Hedhman, Software Developer - New Energy for Java

I  live here;
I  work here;
I relax here;

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message