Re: cvs commit: httpd-dist KEYS
On Mon, 2004-01-19 at 12:32, [EMAIL PROTECTED] wrote: martin 2004/01/19 03:32:59 Modified:.KEYS Log: No need to spam innocent people I'd think that the spammers have picked up on the s/@/ at / trick by now. I don't really see how this fixes things for these people. *shrug* Sander
Re: cvs commit: httpd-dist KEYS
[EMAIL PROTECTED] wrote: martin 2003/09/08 04:03:40 Modified:.KEYS Log: Add my 768/FDE534D1 key That's a little weak, isn't it? -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
Re: cvs commit: httpd-dist KEYS
--On Tuesday, February 18, 2003 12:06 PM -0600 William A. Rowe, Jr. [EMAIL PROTECTED] wrote: I agree that was overkill. However, why put anything on the contributors web page? I believe that information exists right there, in the KEYS file, as to who signed a given release, with our email address (we only use still-valid email accounts when signing, right?) Because you may be able to contact someone face-to-face who is already in our web of trust rather than the person who signed the release. It doesn't matter if you don't trust the RM directly - as long as you trust someone who trusts the RM. In short, you don't need to contact the RM directly. You can, but it may not be practical to do face-to-face verification with that person (so, you might resort to telephone verification). But, we have a wide enough geographic dispersal where you may be able to find someone in your area who is willing to do a face-to-face meeting. (In fact, this would *lessen* the load of the RM rather than increase it!) The reason why I'm concerned about this generally is that mod_python and flood are going to be issuing signed releases soon. Granted their popularity isn't as high as httpd, but they are looking for policy here. It's our obligation to set good verification policy. -- justin
Re: cvs commit: httpd-dist KEYS
Ahhh... verification between project RMs of one another's tarballs? Then don't plug this into KEYS and raise awareness (our workload) to insurmountable levels. Let's start a wiki^H^H^H^Hdoc page all about release signatures and PGP. Explain in a nutshell what is signed, why it is signed and how trusting joe who trusts sam lets you validate that sam's signed package is authentic. KEYS doesn't need to get so dirty, a simple href will do to the authoritative doc out on www.apache.org/. And let the reader connect the dots... unless you find several people under the President's infrastructure committee who will handle the [EMAIL PROTECTED] mail and do the leg work/flying/faxing/phoning. But clean this out of our local KEYS file and do all the magic by reference, so that even stale KEYS checkouts point to the now- authoritative document (that would also include revoked keys to avoid, et. al. :-) Bill At 12:30 PM 2/18/2003, Justin Erenkrantz wrote: --On Tuesday, February 18, 2003 12:06 PM -0600 William A. Rowe, Jr. [EMAIL PROTECTED] wrote: I agree that was overkill. However, why put anything on the contributors web page? I believe that information exists right there, in the KEYS file, as to who signed a given release, with our email address (we only use still-valid email accounts when signing, right?) Because you may be able to contact someone face-to-face who is already in our web of trust rather than the person who signed the release. It doesn't matter if you don't trust the RM directly - as long as you trust someone who trusts the RM. In short, you don't need to contact the RM directly. You can, but it may not be practical to do face-to-face verification with that person (so, you might resort to telephone verification). But, we have a wide enough geographic dispersal where you may be able to find someone in your area who is willing to do a face-to-face meeting. (In fact, this would *lessen* the load of the RM rather than increase it!) The reason why I'm concerned about this generally is that mod_python and flood are going to be issuing signed releases soon. Granted their popularity isn't as high as httpd, but they are looking for policy here. It's our obligation to set good verification policy. -- justin
Re: cvs commit: httpd-dist KEYS
Justin, could you *please* find a better way to say what you were (rightly) trying to convey about the keys file, below? It's a little absurd to try to have folks chasing us down for sigs at home. Don't we all get enough oddball private inquiries? A much more rational approach would be a resource of 'HTTPD developer meets', a web page where we could *announce* our presence and the opportunity for the users to come to us? (A.C., LinuxWorld, et al?) As an RM to one who hasn't RM'ed, you are a bit out of line putting this on each and every RM. I do get very infrequent requests to verify my key, and have the means to do so. It doesn't belong in the KEYS file to put ideas in their heads, however, or I will have to quit doing so even for the ultra paranoid, educated users who deserve the courtesy ;-) Bill At 01:38 PM 2/17/2003, [EMAIL PROTECTED] wrote jerenkrantz2003/02/17 11:38:57 Modified:.KEYS Log: Oh, wordsmith away. We don't bite, but let's not tell anyone that. Revision ChangesPath 1.34 +24 -2 httpd-dist/KEYS Index: KEYS +Please realize that this file itself or the public key servers may be +compromised. You are encouraged to validate the authenticity of these keys in +an out-of-band manner. A good start would be face-to-face communication with +multiple photo identification confirmations. Each contributor has their +location information available at http://httpd.apache.org/contributors/. + +Since the developers are usually quite busy, you may not immediately find +success in someone who is willing to meet face-to-face (they may not even +respond to your emails because they are so busy!). If you do not have a +developer nearby or have trouble locating a suitable person, please send an +email to the release manager of the release you are attempting to verify. They +may be able to find someone who will be willing to verify their key in a less +secure manner (over the phone perhaps).
Re: cvs commit: httpd-dist KEYS
+Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). That should not be necessary. The KEYS file is in a well known public location which serves the same purposes for our set of public keys as the keyserver. -aaron
Re: cvs commit: httpd-dist KEYS
It has not yet been signed by anybody. Brad Brad Nicholes Senior Software Engineer Novell, Inc., a leading provider of Net business solutions http://www.novell.com [EMAIL PROTECTED] Monday, April 08, 2002 1:01:31 PM On Mon, Apr 08, 2002 at 06:51:04PM -, Brad Nicholes wrote: bnicholes02/04/08 11:51:04 Modified:.KEYS Log: Added my public key Brad, has your key been signed by anyone? I'm not seeing any sigs under your public key. If you need someone to sign your key (which you do if you want to sign any httpd binary distros) then let me know. -aaron
Re: cvs commit: httpd-dist KEYS
On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin
Re: cvs commit: httpd-dist KEYS
Most likely Nov 2002. Doesn't help out now, I know. Justin Erenkrantz wrote: On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ A society that will trade a little liberty for a little order will lose both and deserve neither - T.Jefferson
Re: cvs commit: httpd-dist KEYS
On Mon, 8 Apr 2002, Jim Jagielski wrote: Most likely Nov 2002. Doesn't help out now, I know. Justin Erenkrantz wrote: On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin Although one day we should make this part of the commiter initiation procedure - fill your your key ID on the committer consent form :-) Dw.
ApacheCon scheduling was Re: cvs commit: httpd-dist KEYS
On Mon, Apr 08, 2002 at 03:50:40PM -0400, Cliff Woolley wrote: On Mon, 8 Apr 2002, Jim Jagielski wrote: Most likely Nov 2002. Oh great. When were we going to be told that? August really works better for me. November is just going to suck. I'm really going to be leery about taking a week off in my first quarter/semester of grad school (wherever that may be - decision forthcoming...). Other years I don't think I'll have a problem skipping a week for a conference, but my first term? Ouch. Perhaps we httpd people should get together before November. Are enough core people up for a meeting before then? Or, conversely are there enough people who would have problems making it in November to justify meeting earlier? Especially now that we went GA on 2.0, we should meet to discuss 2.1 or 3.0... Waiting until Nov will just suck. -- justin
Re: ApacheCon scheduling was Re: cvs commit: httpd-dist KEYS
On Mon, 8 Apr 2002, Justin Erenkrantz wrote: Perhaps we httpd people should get together before November. Are enough core people up for a meeting before then? +1 -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA
RE: ApacheCon scheduling was Re: cvs commit: httpd-dist KEYS
From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: 08 April 2002 23:03 On Mon, 8 Apr 2002, Justin Erenkrantz wrote: Perhaps we httpd people should get together before November. Are enough core people up for a meeting before then? +1 I would like this very much, but I'm afraid there is a little pond in the middle that is too much of an obstacle for me. Sander
Re: cvs commit: httpd-dist KEYS
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote : On Mon, 8 Apr 2002, Jim Jagielski wrote: Most likely Nov 2002. Doesn't help out now, I know. Justin Erenkrantz wrote: On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin Although one day we should make this part of the commiter initiation procedure - fill your your key ID on the committer consent form :-) getting Debian commit (it's a slightly different idea, but close enough) status is even more stringent - you have to have your key signed in person by someone else with commit status... -Thom
Re: cvs commit: httpd-dist KEYS
On Mon, 8 Apr 2002, Jim Jagielski wrote: Most likely Nov 2002. Is this authoritative, or speculation? I am trying to schedule going to Paraguay for my brother's wedding on the week after the week when I understood ApacheCon to be. Something authoritative would be handy, so that I can buy overpriced tickets sooner, rather than later. Justin Erenkrantz wrote: On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin -- Rich Bowen - [EMAIL PROTECTED] ... and another brother out of his mind, and another brother out at New York (not the same, though it might appear so) Somebody's Luggage (Charles Dickens)
Re: ApacheCon scheduling was Re: cvs commit: httpd-dist KEYS
Justin Erenkrantz [EMAIL PROTECTED] wrote: Especially now that we went GA on 2.0, we should meet to discuss 2.1 or 3.0... Waiting until Nov will just suck. -- justin I'm going to get a gun now! :) Before talking about 2.1, I (and I know I'm voicing concerns of _a_lot_ of people) would really _love_ to see 2.0 settle down for a little while... At least for the sake of us poor module-writers :) :) :) Pier
Re: cvs commit: httpd-dist KEYS
Nov 2002 is the current baseline that we Planners are working towards. Security Travel is looking at hotels and venues as well for that time frame. We even have some candidate dates as well. Speaking as an ApacheCon planner, it's pretty authoritative :) Rich Bowen wrote: On Mon, 8 Apr 2002, Jim Jagielski wrote: Most likely Nov 2002. Is this authoritative, or speculation? I am trying to schedule going to Paraguay for my brother's wedding on the week after the week when I understood ApacheCon to be. Something authoritative would be handy, so that I can buy overpriced tickets sooner, rather than later. Justin Erenkrantz wrote: On Mon, Apr 08, 2002 at 03:25:39PM -0400, Jim Jagielski wrote: Hopefully, the next ApacheCon will afford an op for mega signing :) *ahem* When will the next ApacheCon be? -- justin -- Rich Bowen - [EMAIL PROTECTED] ... and another brother out of his mind, and another brother out at New York (not the same, though it might appear so) Somebody's Luggage (Charles Dickens) -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ A society that will trade a little liberty for a little order will lose both and deserve neither - T.Jefferson