----- Original Message ----- From: "Noel J. Bergman" <[EMAIL PROTECTED]> > Yes, talking about signing. I know about the tools. It was the procedures > I was wondering about. Do we have any notion of a web of trust, or do I > simply make for myself an ad hoc key and stick it in a file? Do we have a > KEY file already, with keys for previous Release Managers?
I don't believe it has ever been done for James. It is however highly recommended. Some time back the passwd file was stolen and posted on the net. The real danger was that someone would add trojon horse to builds, folks would download and a few years later modified(hacked) Apache software would run on a lot of sites. This actual attack highlighted the importance of signing releases. I believe the process for key pair generation and use is documented to some extent in Orielly SSH book http://www.oreilly.com/catalog/sshtdg/index.html. I should have this book somewhere and should be able to verify. This information should also be somewhere on the Apache site. I think this is the process - you generate a key pair, put your public key at Apache machines and your private key with yourself. Login to ssh via using this key pair. Sign release using your private key. I don't know if there is a web of trust in place. It would be good and would be nice if Apache was a CA, but at present I don't think trust relatioships like certificate chains etc is in place. Harmeet -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
