incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <>
Subject Re: key signing
Date Mon, 08 Oct 2012 21:18:34 GMT
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <>wrote:

> There's another side to this, which I would derisively label, 'so
> what'? How does it help a user to see that my key is signed by 27 of
> my fellow Apache contributors, if the user has never met any of us,
> and has never met anyone who has met any of us, etc, etc. In other
> words, the Web of Trust only helps users (very much) if they are
> active participants, and likely to have trust links that reach ASF
> release managers.
> In my opinion, that's vanishingly unlikely, and so the best we can do
> is to allow users to verify that the signature was, in fact, made by
> the 'Apache hat' that it claimed to be made by. Using the keys in
> KEYS, or the fingerprints from LDAP, seems the best they can do.

To me, this seems like an outright dismissal of the web of trust because it
is "unlikely." Which it is sure to be if everyone dismisses it. You're
right in so much as not a lot of people care. But for the people that do
care, it is very important, and works just great. (Note, I am not one of
those people, though I am "in" the web of trust having been involved in
Debian, which takes it very seriously.) If you are the sort of person who
has a GPG key and get's it signed, then the chances are that you can
establish trust with an RM that does the same.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message