incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <>
Subject Re: key signing
Date Mon, 15 Oct 2012 12:46:18 GMT
Now I have a practical problem. I've received email from a committer
on a project. I have met him in person -- some years ago. I helped him
get started at Apache. His fellow PMC members are telling him that
it's *necessary* for him to come up with one or more signatures on his
key to act at an RM.


1) send email to him and his PMC fellows, referencing this thread, as
evidence that key signing is nice but optional.

2) go ahead and sign his key based on simple email. I'm a very bad
paranoid; I'm not interested in the idea that some person out there is
anxious to undermine Apache and has captured one or both or our gmail
accounts, or is acting as an MITM. I have plenty of writing-style
evidence that this email address disgorges communications from him.

3) Engage in some more or less baroque protocol involving skype or
carrier pigeons.

Anyone care to try to tell me what to do? My views are colored by my,
and his, complete disinterest in the WoT outside of its use at Apache,
and my conviction that I do, indeed, know that this key is under the
control of a particular person who signed a CLA and got voted in as a
committer of a particular project.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message