incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject Re: key signing
Date Thu, 11 Oct 2012 20:29:58 GMT
Marvin Humphrey wrote on Thu, Oct 11, 2012 at 11:46:23 -0700:
> On Wed, Oct 10, 2012 at 2:36 PM, Nick Kew <> wrote:
> > On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
> >
> >> In my opinion, we have sufficient expertise here at the ASF to devise an
> >> authentication protocol whose reliability exceeds that of individuals
> >> participating unsupervised in a web of trust, particularly if the protocol
> >> were to incorporate archived video and auditing by a PMC.
> >
> > That may be, but I don't think general@incubator is the place to develop it.
> The Incubator is where the acute need exists, because we are bootstrapping
> entire communities where no one is linked into the web of trust.
> For existing projects, the longer they've been around, the more likely that a
> significant number of committers have attended an ApacheCon key-signing party
> or otherwise had an opportunity to get their keys signed.  But here, we see
> new RMs all the time who are isolated.  It would be nice if we had some
> systematic way of integrating them.
> In the absence of a formal protocol, suggesting that new RMs go find someone
> to sign their key is unsatisfying, since at least some of the time that's
> likely to mean email contact alone and potentially a tenuous relationship to
> the signer.  The alternative of suggesting that new RMs with a release VOTE
> pending go find a local key-signing party to attend seems unrealistic.

No one said that a release need have only one signature... 

1) RM prepares tarball, signs, uploads for voting
2) voting passes
3) mentor appends his signature to the .asc file
4) artifacts posted to dist/

That solves the problem for end users until the RM attends a keysigning

(for reference, Subversion requires 3+3 signatures for every release)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message