On Mon, Nov 10, 2025, 10:37 Piotr P. Karwasz <[email protected]> wrote:
> Hi Gary, > > On 10.11.2025 14:55, Gary Gregory wrote: > > On Mon, Nov 10, 2025 at 8:22 AM Piotr P. Karwasz > > <[email protected]> wrote: > >> Since your key is effectively the authoritative one for Commons, I’d > >> expect at least the following steps: > >> > >> - Signing the new key with your old key (86fdc7e2a11262cb), > > > > There is a discussion in the page above "for and against signing the > > old key with the new". > > You're suggesting the opposite? I did neither. > > > The page you linked also instructs to sign the *new* key with the *old* > one (“Trust the new key” section [1]), but the HTML is malformed: > > <h/3 id="sign-new-key">Use the old key to sign the new key > Hi Piotr, Good find! I missed that one. The messed up H3 header doesn't help... Thank you, Gary > > >> Is there an established procedure for signing code-signing keys? > > > > See https://infra.apache.org/key-transition.html#wot > > > That’s the main issue with the PGP Web of Trust: it recommends security > practices so strict that, in reality, almost nobody follows them, and > people end up relying on Trust On First Use instead. > > Personally, I’m not interested in verifying the legal identity of any > PMC member. What matters more to me is a practical verification that the > new key: > > - Was added by someone who has access to the corresponding ASF account > (as evidenced by the SVN log, for example), > - And has some continuity with a previous key: for instance, access to a > GPG key that was used to sign commits or releases in the past. It’s > easy to add a new GPG key to your ASF account, but it’s hard to use > one retroactively. ;-) > > Piotr > > [1] https://infra.apache.org/key-transition.html#trust-new-key > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
