Ahhh... verification between project RMs of one another's tarballs? Then don't plug this into KEYS and raise awareness (our workload) to insurmountable levels. Let's start a wiki^H^H^H^Hdoc page all about release signatures and PGP. Explain in a nutshell what is signed, why it is signed and how trusting joe who trusts sam lets you validate that sam's signed package is authentic. KEYS doesn't need to get so dirty, a simple href will do to the authoritative doc out on www.apache.org/.
And let the reader connect the dots... unless you find several people under the President's infrastructure committee who will handle the [EMAIL PROTECTED] mail and do the leg work/flying/faxing/phoning. But clean this out of our local KEYS file and do all the magic by reference, so that even stale KEYS checkouts point to the now- authoritative document (that would also include revoked keys to avoid, et. al. :-) Bill At 12:30 PM 2/18/2003, Justin Erenkrantz wrote: >--On Tuesday, February 18, 2003 12:06 PM -0600 "William A. Rowe, Jr." ><[EMAIL PROTECTED]> wrote: > >>I agree that was overkill. However, why put anything on the >>contributors web page? I believe that information exists right >>there, in the KEYS file, as to who signed a given release, with our >>email address (we only use still-valid email accounts when signing, >>right?) > >Because you may be able to contact someone face-to-face who is already in our web of >trust rather than the person who signed the release. It doesn't matter if you don't >trust the RM directly - as long as you trust someone who trusts the RM. > >In short, you don't need to contact the RM directly. You can, but it may not be >practical to do face-to-face verification with that person (so, you might resort to >telephone verification). But, we have a wide enough geographic dispersal where you >may be able to find someone in your area who is willing to do a face-to-face meeting. >(In fact, this would *lessen* the load of the RM rather than increase it!) > >The reason why I'm concerned about this generally is that mod_python and flood are >going to be issuing signed releases soon. Granted their popularity isn't as high as >httpd, but they are looking for policy here. It's our obligation to set good >verification policy. -- justin
