Robert Muir: > On Fri, Jun 25, 2010 at 5:29 AM, Thomas Koch <[email protected]> wrote: > > But checking the signatures of apache software obviously is meaningless, > > since > > apache developers appears to not have their keys in the web-of-trust. > > From three signature files I had laying around on my hard disc, all > > three keys had > > > zero signatures on the MIT keyserver: > are you sure you know how to verify keys? please read the manual before > cross-posting to this many mailing lists. > > for example, Grant's key is definitely signed. i know because i signed it > myself: > > pub 4096R/FE045966 2009-10-13 > > uid Grant Ingersoll (CODE SIGNING KEY) <[email protected]> > sig sig3 FE045966 2009-10-13 __________ __________ [selfsig] > sig sig A867E8B1 2009-10-13 __________ __________ Grant Ingersoll (CODE > SIGNING KEY) <[email protected]> > sig sig 3396054D 2009-11-05 __________ __________ Robert Muir (Code > Signing Key) <[email protected]> > sig sig ECA39416 2009-11-05 __________ __________ Simon Willnauer (Code > Signing Key) <[email protected]> > sig sig C09FB546 2009-11-05 __________ __________ Isabel Drost (Apache > release signing key) <[email protected]> > sig sig 0C0885B4 2009-11-05 __________ __________ Isabel Drost < > [email protected]> > sig sig E1EE085F 2009-11-05 __________ __________ Uwe Schindler (CODE > SIGNING KEY) <[email protected]> > > * > *
Hallo Robert, You're right with Grant and I'm sorry for have been confused by the webinterface of the keyserver. However after double checking with the pgp.net keyserver I still don't find any signatures for M. Stack and P. Hunt. And even the four signatures on Grant's key don't help much because they seem to form a disconnected cluster of Andi Vajda, Isabel Drost, Michael Busch, Robert Muir, Simon Willnauer and Uwe Schindler without any signature coming in from the outside. - Isabel once had a very good signed key, but this has expired. The goal would be, that the apache keys would somehow interconnect with some Debian keys: http://people.debian.org/~weasel/weboftrust/ Many of the keys in the Debian Keyring have hundrets of signatures. It may well be, that the Apache Keyring can get as strong as the Debian Keyring after only two or three Apache Conferences. Best regards, Thomas Koch, http://www.koch.ro --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
