Hi all, the docs about release management for incubating projects make clear that the release needs to be signed[1] and in the end associated with the project AND the WOT of Apache in general[2].
Is there some way to check what the owner of a PGP key for former releases has done to get his association to the WOT, if any? I would like to understand the needed process better and e.g. found the following: http://pgp.surfnet.nl:11371/pks/lookup?op=vindex&fingerprint=on&search=0x2E114322 Are all those people/keys on this list someone who signed the key I searched for and provided association with the WOT this way? Are the mentioned possibilities in [2] the only way to get such an association to the WOT? I usually don't visit conferences or keysigning parties or such. Am I correct that releases can't be published without such an association to the WOT at all and BEFOREHAND? Else one could sign and publish a release and loose the key afterwards or else and the release would be left without the needed association. Thanks! [1]: http://incubator.apache.org/guides/releasemanagement.html#signing [2]: http://www.apache.org/dev/openpgp.html#apache-wot-link Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...........05151- 9468- 55 Fax...............05151- 9468- 88 Mobil..............0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
