JSPWiki
  1. JSPWiki
  2. JSPWIKI-560

Developers tied into ASF PGP web of trust

    Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: Graduating
    • Component/s: None
    • Labels:
      None

      Activity

      Hide
      Janne Jalkanen added a comment -

      Currently I think only I (Janne) have a signed PGP key within Apache's web-of-trust. We need to get others signed as well.

      Andrew, can you prepare a key for our next meeting, and I'll be happy to sign it?

      Show
      Janne Jalkanen added a comment - Currently I think only I (Janne) have a signed PGP key within Apache's web-of-trust. We need to get others signed as well. Andrew, can you prepare a key for our next meeting, and I'll be happy to sign it?
      Hide
      Harry Metske added a comment -

      For those of you who are not that familiar with it (including me), I found Henk Pennings explanation very useful : http://people.apache.org/~henkp/trust/

      Show
      Harry Metske added a comment - For those of you who are not that familiar with it (including me), I found Henk Pennings explanation very useful : http://people.apache.org/~henkp/trust/
      Hide
      Janne Jalkanen added a comment -

      Question: how many of us actually do need to be tied to the web of trust, anyway?

      Show
      Janne Jalkanen added a comment - Question: how many of us actually do need to be tied to the web of trust, anyway?
      Hide
      Harry Metske added a comment -

      a couple, say 3 or 4 ?

      Show
      Harry Metske added a comment - a couple, say 3 or 4 ?
      Hide
      Janne Jalkanen added a comment -

      Hm... So - Florian, Harry, Dirk, Andrew! You should try and hook up with your local Apache people and ask someone to sign a key... Or go to Apachecon. Or have your summer holidays in Finland

      Show
      Janne Jalkanen added a comment - Hm... So - Florian, Harry, Dirk, Andrew! You should try and hook up with your local Apache people and ask someone to sign a key... Or go to Apachecon. Or have your summer holidays in Finland
      Hide
      Craig L Russell added a comment -

      The issue is not so much how many folks should be tied into the Apache WOT. Everyone who signs releases needs to have a key (duh) and any key used to sign a release should be tied into the WOT by being signed, and by having the owner sign others' keys.

      Then the question is how many signatures on your keys are enough. One is enough, but more is (are) better. Cross-signed keys are best.

      Show
      Craig L Russell added a comment - The issue is not so much how many folks should be tied into the Apache WOT. Everyone who signs releases needs to have a key (duh) and any key used to sign a release should be tied into the WOT by being signed, and by having the owner sign others' keys. Then the question is how many signatures on your keys are enough. One is enough, but more is (are) better. Cross-signed keys are best.
      Hide
      Florian Holeczek added a comment -

      Unfortunately I couldn't have summer holidays in Finland But I met Apache committer Stefan Seelmann in Munich this week and we signed our keys.

      Show
      Florian Holeczek added a comment - Unfortunately I couldn't have summer holidays in Finland But I met Apache committer Stefan Seelmann in Munich this week and we signed our keys.
      Hide
      Harry Metske added a comment -

      That's nice Florian.

      I think 2 people in the project who can sign within the web of trust is nice, if you all agree we can close this one too.

      Show
      Harry Metske added a comment - That's nice Florian. I think 2 people in the project who can sign within the web of trust is nice, if you all agree we can close this one too.
      Hide
      Janne Jalkanen added a comment -

      Well done, Florian! I think two people is sufficient (that means that there is redundancy also for rolling releases).

      Show
      Janne Jalkanen added a comment - Well done, Florian! I think two people is sufficient (that means that there is redundancy also for rolling releases).
      Hide
      Janne Jalkanen added a comment -

      I think this is fine.

      Show
      Janne Jalkanen added a comment - I think this is fine.

        People

        • Assignee:
          Unassigned
          Reporter:
          Janne Jalkanen
        • Votes:
          0 Vote for this issue
          Watchers:
          0 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development