incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Schöning <>
Subject Code signing and WOT for releases
Date Tue, 26 Jul 2016 07:19:59 GMT
Hi all,

the docs about release management for incubating projects make clear
that the release needs to be signed[1] and in the end associated with
the project AND the WOT of Apache in general[2].

Is there some way to check what the owner of a PGP key for former
releases has done to get his association to the WOT, if any? I would
like to understand the needed process better and e.g. found the

Are all those people/keys on this list someone who signed the key I
searched for and provided association with the WOT this way?

Are the mentioned possibilities in [2] the only way to get such an
association to the WOT? I usually don't visit conferences or
keysigning parties or such.

Am I correct that releases can't be published without such an
association to the WOT at all and BEFOREHAND? Else one could sign and
publish a release and loose the key afterwards or else and the release
would be left without the needed association.



Mit freundlichen Grüßen,

Thorsten Schöning

Thorsten Schöning       E-Mail:
AM-SoFT IT-Systeme

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message