as you are probably aware Apache releases must be signed. I do have
a code-signing key but, because of the weaknesses found in SHA-1 [1], it
is now obsolete. So I created a new, stronger one, and I now have to add
it to the web of trust.
See [2] for explanations about the web of trust. In short, this is a way
to ensure that a key actually belongs to the person it claims, without
having met that person. That allows to increase your confidence that
a signed artefact you are downloading has not been tampered with and was
created by the right people. For a graphical representation of the web
of trust at Apache, see here:
http://people.apache.org/~henkp/trust/apache.html
In order to build a web of trust I thought that maybe we could organise
a virtual key signing party, over Skype or Google Hangout, among the XML
Graphics committers.
It’s fairly simple and quite fun. You have to send me beforehand the
public fingerprint of your key. It can be generated e.g. like this:
$ gpg --fingerprint vhennebert
pub 4096R/72FA275A 2014-07-22
Key fingerprint = 492F E32D 853F 1081 FF58 66F5 EF6D 31C7 72FA 275A
During the signing party, we will check that all the fingerprints are
correct. Then, each of us will show their ID at the webcam, for others
to check they are talking to the right person.
And that’s it. After the meeting, each of us can download the others’
keys from a key server, check that the fingerprint matches what was
presented during the party (this is important!), sign and upload the
key. See [3] for more details.
If you don’t have a PGP key, now is the time to create one. The
following document is full of details about PGP, how it works, how it is
used at Apache, how to create a key, etc.
http://www.apache.org/dev/release-signing.html
If you do have a key but it is a DSA key or a 1024 bit RSA key, then you
need to switch to a stronger key (this is my case). See here for more
info:
http://www.apache.org/dev/key-transition.html
So, who’s up for it? Please give your availabilities in an answer to this
message. If you have it already, you may also want to include your
public key fingerprint.
As for myself, I would be available on working days during the next
2 weeks, between 7am UTC and 8pm UTC.
Thanks,
Vincent
[1] For more details, see
http://www.apache.org/dev/release-signing.html#note
[2] http://www.apache.org/dev/release-signing.html#web-of-trust
[3]
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: general-h...@xmlgraphics.apache.org
