incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: Code signing and WOT for releases
Date Tue, 26 Jul 2016 09:24:47 GMT
On Tue, 2016-07-26 at 09:19 +0200, Thorsten Schöning wrote:
> Hi all,
> the docs about release management for incubating projects make clear
> that the release needs to be signed[1] and in the end associated with
> the project AND the WOT of Apache in general[2].

I don't like that term "the WOT of Apache in general", with its
implied suggestion that an Apache WoT might differ from AN Other.
Even if a private Apache WoT were a reality, how would that help
our users verify our releases?  Surely the WoT we should be
concerned with is the Strong Set that unifies Geekdom at large.
Yes, also the project's KEYS and, but that's
a separate issue to the WoT!

In terms of instructions I can't improve on Mark's reply.
I would add that it's not entirely unprecedented to sign a
release with a key that can't be verified in the Strong Set,
but you should make all efforts to avoid that.  A key that
can't be verified adds no more security than an MD5 checksum.

Nick Kew

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message