On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <bimargul...@gmail.com>wrote:
> > There's another side to this, which I would derisively label, 'so > what'? How does it help a user to see that my key is signed by 27 of > my fellow Apache contributors, if the user has never met any of us, > and has never met anyone who has met any of us, etc, etc. In other > words, the Web of Trust only helps users (very much) if they are > active participants, and likely to have trust links that reach ASF > release managers. > > In my opinion, that's vanishingly unlikely, and so the best we can do > is to allow users to verify that the signature was, in fact, made by > the 'Apache hat' that it claimed to be made by. Using the keys in > KEYS, or the fingerprints from LDAP, seems the best they can do. > To me, this seems like an outright dismissal of the web of trust because it is "unlikely." Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am "in" the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. -- NS