incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Schöning <tschoen...@am-soft.de>
Subject Code signing and WOT for releases
Date Tue, 26 Jul 2016 07:19:59 GMT
Hi all,

the docs about release management for incubating projects make clear
that the release needs to be signed[1] and in the end associated with
the project AND the WOT of Apache in general[2].

Is there some way to check what the owner of a PGP key for former
releases has done to get his association to the WOT, if any? I would
like to understand the needed process better and e.g. found the
following:

http://pgp.surfnet.nl:11371/pks/lookup?op=vindex&fingerprint=on&search=0x2E114322

Are all those people/keys on this list someone who signed the key I
searched for and provided association with the WOT this way?

Are the mentioned possibilities in [2] the only way to get such an
association to the WOT? I usually don't visit conferences or
keysigning parties or such.

Am I correct that releases can't be published without such an
association to the WOT at all and BEFOREHAND? Else one could sign and
publish a release and loose the key afterwards or else and the release
would be left without the needed association.

Thanks!

[1]: http://incubator.apache.org/guides/releasemanagement.html#signing
[2]: http://www.apache.org/dev/openpgp.html#apache-wot-link

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message