incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <>
Subject Re: key signing
Date Mon, 08 Oct 2012 22:18:38 GMT
On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater <> wrote:
> Perhaps not Tomcat, but the entire Foundation and all of it's current and
> future projects should be under consideration here. The long and short of
> it is that key signing can't hurt. And a key signing guide certainly can't
> hurt. RMs should feel free to do this, if they are interested in it, and
> users who care about it can take advantage of it, if it interests them. I
> certainly wouldn't want to think that we mandate anything. (You know you
> can't be a Debian developer until you have your key signed by another
> Debian developer? That set me back months. I'm something of a recluse!)

I'm absolutely not opposed to key signing.

I am somewhat opposed to presenting 'look at the signature(s)' as a
very prominent verification options on a page aimed at users.

I am very much in favor of streamlining and describing alternatives
that avoid the need for the user to be a WoT participant, such as
taking advantage of KEYS files and the like.

> On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies <>wrote:
>> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater <> wrote:
>> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <
>> >wrote:
>> >
>> >>
>> >> There's another side to this, which I would derisively label, 'so
>> >> what'? How does it help a user to see that my key is signed by 27 of
>> >> my fellow Apache contributors, if the user has never met any of us,
>> >> and has never met anyone who has met any of us, etc, etc. In other
>> >> words, the Web of Trust only helps users (very much) if they are
>> >> active participants, and likely to have trust links that reach ASF
>> >> release managers.
>> >>
>> >> In my opinion, that's vanishingly unlikely, and so the best we can do
>> >> is to allow users to verify that the signature was, in fact, made by
>> >> the 'Apache hat' that it claimed to be made by. Using the keys in
>> >> KEYS, or the fingerprints from LDAP, seems the best they can do.
>> >>
>> >
>> > To me, this seems like an outright dismissal of the web of trust because
>> it
>> > is "unlikely." Which it is sure to be if everyone dismisses it. You're
>> > right in so much as not a lot of people care. But for the people that do
>> > care, it is very important, and works just great. (Note, I am not one of
>> > those people, though I am "in" the web of trust having been involved in
>> > Debian, which takes it very seriously.) If you are the sort of person who
>> > has a GPG key and get's it signed, then the chances are that you can
>> > establish trust with an RM that does the same.
>> I've been watching PGP from its birth, and I've seen very little
>> evidence of the web of trust growing from geeks like us to the sort of
>> people who download and install Tomcat. If you can offer some
>> counterevidence, I'm all eyes.
>> My personal enthusiasm is for all Apache projects to share a clear
>> recipe for their users to verify downloads. That recipe should work
>> for *every user* and *every release manager*.
>> >
>> > --
>> > NS
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> --
> NS

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message