I welcome constructive comments, but we should indicate how we want people to verify our KEYS. We need a statement to this effect.Justin, could you *please* find a better way to say what you were (rightly) trying to convey about the keys file, below?
The original suggestion was to put a phone number on the contributors web page where we could be reached. I feel direct email is a more appropriate forum. Sending an email to the developers list (dev@httpd) isn't appropriate because the KEYS file serves for the entire project (which consists of many subprojects that can release on their own - flood, mod_python, etc.).It's a little absurd to try to have folks chasing us down for sigs at home. Don't we all get enough oddball private inquiries?
We could create keys@httpd and people willing to verify keys could subscribe there. (I'd almost suggest using security@httpd.)
Expecting our users to be at conferences is a bit much. It's hard enough to get httpd developers to attend ApacheCon never mind other conferences.A much more rational approach would be a resource of 'HTTPD developer meets', a web page where we could *announce* our presence and the opportunity for the users to come to us? (A.C., LinuxWorld, et al?)
*ahem* I have RMed, thank-ya-very-much.As an RM to one who hasn't RM'ed, you are a bit out of line putting this on each and every RM. I do get very infrequent requests to verify my key, and have the means to do so. It doesn't belong in the KEYS file to put ideas in their heads, however, or I will have to quit doing so even for the ultra paranoid, educated users who deserve the courtesy ;-)
I only said to contact the RM after failing to contact a person in your area. I think it's reasonable, but perhaps a specific verification mailing list would ease your troubled mind? -- justin
