I've read this entire thread (whew!), and would actually like to throw out a contrary position:
No signed keys. Consider: releases come from the ASF, not a person. The RM builds the release artifacts and checks them into version control along with hash "checksums". Other PMC members validate the artifacts for release criteria and matching checksums, voting +1 via version control. All of the above is done via authenticated ASF accounts. The above establishes an ASF release. Please explain how "keys" are needed for this ASF release? Consumers are already told to verify the SHA1 and nothing more. I doubt any more is needed. (assume secure Infrastructure) Cheers, -g On Oct 5, 2012 5:04 AM, "Benson Margulies" <bimargul...@gmail.com> wrote: > I'm offering this discussion here, but it might need to go elsewhere > if it goes anywhere at all. > > It seems to me that the there is a gap in the incubation process, and > I don't know how to fill it. > > As far as I can see, we don't do anything to facilitate or encourage > getting PGP keys signed. We tell people to create a key and put it in > the SVN 'keys' file. > > Key signing strikes me as a bit of a conundrum for us. In all other > respects, we emphasize that anyone, anywhere, in any time zone, can be > a full member of a community. However, key signing requires something > else. [1] Generally, it requires a face-to-face interaction. > > It is perhaps interesting to note that the foundation accepts CLAs as > legally binding without any face-to-face identity verification. If you > send in a CLA with a signature, we believe it, and we believe that the > email address you provide is, in fact, controlled by the legal person > who signed the form. > > I wonder, then, if secretary@ should be willing to sign a key. > Alternatively, since the chain is CLA -> svn access -> unsigned key in > svn, perhaps all we really need is to document that a signature > corresponding to a key in svn is really good enough, and users need > not be concerned further. > > > > [1]: http://httpd.apache.org/dev/verification.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >