Because you may be able to contact someone face-to-face who is already in our web of trust rather than the person who signed the release. It doesn't matter if you don't trust the RM directly - as long as you trust someone who trusts the RM.I agree that was overkill. However, why put anything on the contributors web page? I believe that information exists right there, in the KEYS file, as to who signed a given release, with our email address (we only use still-valid email accounts when signing, right?)
In short, you don't need to contact the RM directly. You can, but it may not be practical to do face-to-face verification with that person (so, you might resort to telephone verification). But, we have a wide enough geographic dispersal where you may be able to find someone in your area who is willing to do a face-to-face meeting. (In fact, this would *lessen* the load of the RM rather than increase it!)
The reason why I'm concerned about this generally is that mod_python and flood are going to be issuing signed releases soon. Granted their popularity isn't as high as httpd, but they are looking for policy here. It's our obligation to set good verification policy. -- justin
