incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <>
Subject Re: key signing
Date Mon, 08 Oct 2012 22:16:34 GMT
Caveat: But I do think that if we do have a key signing guide (and I think
we should) then it should be strict about our standards. (i.e. when and
when not to sign somebody's key. Basic QA on what sort of "trust" we're
trying to build here.)

On Mon, Oct 8, 2012 at 11:15 PM, Noah Slater <> wrote:

> Perhaps not Tomcat, but the entire Foundation and all of it's current and
> future projects should be under consideration here. The long and short of
> it is that key signing can't hurt. And a key signing guide certainly can't
> hurt. RMs should feel free to do this, if they are interested in it, and
> users who care about it can take advantage of it, if it interests them. I
> certainly wouldn't want to think that we mandate anything. (You know you
> can't be a Debian developer until you have your key signed by another
> Debian developer? That set me back months. I'm something of a recluse!)
> On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies <>wrote:
>> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater <> wrote:
>> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <
>> >wrote:
>> >
>> >>
>> >> There's another side to this, which I would derisively label, 'so
>> >> what'? How does it help a user to see that my key is signed by 27 of
>> >> my fellow Apache contributors, if the user has never met any of us,
>> >> and has never met anyone who has met any of us, etc, etc. In other
>> >> words, the Web of Trust only helps users (very much) if they are
>> >> active participants, and likely to have trust links that reach ASF
>> >> release managers.
>> >>
>> >> In my opinion, that's vanishingly unlikely, and so the best we can do
>> >> is to allow users to verify that the signature was, in fact, made by
>> >> the 'Apache hat' that it claimed to be made by. Using the keys in
>> >> KEYS, or the fingerprints from LDAP, seems the best they can do.
>> >>
>> >
>> > To me, this seems like an outright dismissal of the web of trust
>> because it
>> > is "unlikely." Which it is sure to be if everyone dismisses it. You're
>> > right in so much as not a lot of people care. But for the people that do
>> > care, it is very important, and works just great. (Note, I am not one of
>> > those people, though I am "in" the web of trust having been involved in
>> > Debian, which takes it very seriously.) If you are the sort of person
>> who
>> > has a GPG key and get's it signed, then the chances are that you can
>> > establish trust with an RM that does the same.
>> I've been watching PGP from its birth, and I've seen very little
>> evidence of the web of trust growing from geeks like us to the sort of
>> people who download and install Tomcat. If you can offer some
>> counterevidence, I'm all eyes.
>> My personal enthusiasm is for all Apache projects to share a clear
>> recipe for their users to verify downloads. That recipe should work
>> for *every user* and *every release manager*.
>> >
>> > --
>> > NS
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> --
> NS


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message