Daniel Shahaf wrote on 05.10.2012 at 15:15: > Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400: >> Alternatively, since the chain is CLA -> svn access -> unsigned key in >> svn, perhaps all we really need is to document that a signature >> corresponding to a key in svn is really good enough, and users need >> not be concerned further. >> > > Downloading keys from https://www.apache.org/dist/ or > https://people.apache.org/keys/ is good enough enough for users who > trust root@ and Thawte.
A few days ago, I've been learning from a mail on this list, that it was OK to participate in the Apache community using only a pseudonym. The question is, how far is this going? May releases be signed with keys belonging to a pseudonym? PGP/GPG's concept in general is that keys contain their owner's real name. If releases may be signed under pseudonyms, then, if I understood the Apache pseudonym rules right, the only one who would be able to sign such a key was secretary@, since it's the only one who knows the pseudonym's real identity. Regards Florian --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org