incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Upayavira>
Subject Re: Key signing for shindig packages.
Date Mon, 05 Oct 2009 10:27:36 GMT
On Sat, 2009-10-03 at 16:43 +0800, Niclas Hedhman wrote:
> On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner <> wrote:
> > Hi,
> > Over in the shindig podling we've been working on our 1.1 release. During
> > the voting process it was mentioned that my gpg key is not part of the
> > apache web of trust.
> >
> > * We have the +1s for shindig-1.1-BETA3, does this signature problem
> > disqualify the release?
> IMHO, No it doesn't. What you should ensure is that the key used for
> the signing is both committed to the SVN, uploaded to (and
> other if possible) and that the finger print is published on the
> official website.
> > * I'd appreciate any/all help getting my gpg key signed by the proper people
> > so we can get a release out asap -- this 1.1 release has been a long time
> > coming.  Once we get over this hurdle we feel we'll be close to graduating.
> Cross-signing of keys should happen in person, where identity can be
> ensured. If there are people you know really well, a phone call where
> the other part can recognize your voice, preferably being the one
> calling you up on a well-known phone number, to transfer the
> fingerprint info...

Ensure that some of you get to ApacheCon. I don't believe it is too far
away from you. Worst case, you might be able to get some folks there to
sign your key even if you don't attend the actual conference itself.

Does it disqualify this release? No. The signed key is to validate
authenticity of an Apache release. Right now, I'd say we're more
concerned about the podling being able to produce decent releases. So
long as the release has all the bits in the right places, that is
enough. However, getting keys signed is a good thing to do in
preparation for ongoing (esp post graduation) releases.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message