Apache Web of Trust is pretty much an 'ultimate' signature. However, releases are not that strict. KEYS file need to exist in SVN (which indicates some level) and should also be published on river.apache.org for people to check. You should also have the key uploaded to a pgp key server, such as pgp.mit.edu. While you are at it, choose the strongest key length possible, since extrapolation shows that 1024 bits keys will be reasonably breakable quite soon.
One way to get into the Apache Web of Trust (other than F2F) is to validate authenticity from one to the other via phone/SMS. That holds extra true for Tom, whose details are on record at ASF. And Peter, there are other ASFers in Australia. Don't know exactly where you are, but I wouldn't be surprised if you'll find someone nearby. If you get counter-signed with those, and one of these travel to a conference or otherwise gets into the larger cloud, you will be pulled in passively. Cheers Niclas On Mon, May 23, 2011 at 2:46 AM, Peter Firmstone <[email protected]> wrote: > Patricia Shanahan wrote: >> >> On 5/21/2011 4:21 AM, Peter Firmstone wrote: >> ... >>> >>> 4. Have all committers add their signatures to the Keys file. >> >> ... >> >> Do I need to get into the Apache web of trust? If so, any suggestions for >> how to do it? I live in San Diego, but will be in London for a couple of >> weeks later in the year. >> >> Patricia >> > > To get into the Apache web of trust, you'll need to attend one of the Apache > Developer events like ApacheCon and take your key along on a usb stick. I'm > a long way from any events, so it hasn't been practical for me to join it, > but that didn't appear to be a problem with the release. > > Peter. > > -- Niclas Hedhman, Software Developer http://www.qi4j.org - New Energy for Java I live here; http://tinyurl.com/3xugrbk I work here; http://tinyurl.com/24svnvk I relax here; http://tinyurl.com/2cgsug
