incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: status of PGP support in Maven
Date Mon, 15 Sep 2008 18:00:52 GMT
On Mon, Sep 15, 2008 at 3:40 PM, William A. Rowe, Jr.
<> wrote:
> Brett Porter wrote:
>> For the releases to be identified as from the incubator, they'll need to
>> be
>> signed solely by "the incubator". Did you want to elaborate on how you
>> anticipated that set up working?
> With PGP it's a web of trust.  Any ASF-role key would never be used to sign
> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
> would sign Jane's key, Jane would RM and sign with her own key, and the web
> of trust satisfies the trust requirement.

i think that this approach would require a shadow web for incubator keys


alice is an apache committer
alice has key K which is commented "APACHE CODE SIGNING KEY"
alice is elected release manager for incubator podling P
alice would need to create a new key S which is commented "INCUBATOR
alice adds S to an incubator KEYS document

then alice should ensure that S (not K) is the only key used to sign
the release for P

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message