At 11:36 AM 2/18/2003, Justin Erenkrantz wrote: >--On Tuesday, February 18, 2003 1:25 AM -0600 "William A. Rowe, Jr." ><[EMAIL PROTECTED]> wrote: > >>It's a little absurd to try to have folks chasing us down for sigs >>at home. Don't we all get enough oddball private inquiries? > >The original suggestion was to put a phone number on the contributors web page where >we could be reached. I feel direct email is a more appropriate forum. Sending an >email to the developers list (dev@httpd) isn't appropriate because the KEYS file >serves for the entire project (which consists of many subprojects that can release on >their own - flood, mod_python, etc.).
I agree that was overkill. However, why put anything on the contributors web page? I believe that information exists right there, in the KEYS file, as to who signed a given release, with our email address (we only use still-valid email accounts when signing, right?) >We could create keys@httpd and people willing to verify keys could subscribe there. >(I'd almost suggest using security@httpd.) The incidence on httpd isn't high enough. Maybe in Jakartaland this is a bigger issue. I've responded to the 10 or so requests I've ever received. >>A much more rational approach would be a resource of 'HTTPD >>developer meets', a web page where we could *announce* our presence >>and the opportunity for the users to come to us? (A.C., >>LinuxWorld, et al?) > >Expecting our users to be at conferences is a bit much. It's hard enough to get >httpd developers to attend ApacheCon never mind other conferences. Hey - we did say nothing beats face-to-face with government issued photo ID (preferably two forms), right? The bigger point in such a paragraph is that the user need not be there, they need to encourage high-visibility individuals who attend such conferences, "hey, would you countersign keys with someone within the ASF so I can trust their signatures?" It's a web of trust. >*ahem* I have RMed, thank-ya-very-much. I'm sorry, yes - that's right. Now how many inquiries did you receive (remembering they had your email addy within your KEYS entry that you signed that release with)? Mountains out of molehills? >I only said to contact the RM after failing to contact a person in your area. I >think it's reasonable, but perhaps a specific verification mailing list would ease >your troubled mind? I think the current method, "Hmmm... I don't trust this signature, I better email that individual and inquire how to validate their key" (provided they get a response) seems to work just fine today. Bill