Re: ASF Web of Trust [was: Release Distribution Strategy]

Sun, 28 Oct 2007 12:56:44 -0800 

Hi,
Some background on the web of trust (wot) that ASF uses for signers of code releases is at http://en.wikipedia.org/wiki/Web_of_trust 


You correctly point out that the icla is a binding document in which  
the party signing the document grants certain intellectual property  
rights to the ASF. The signature on this document is not verified to  
be the signature of a real person. It could be anyone. But whoever  
signed the document and commits code under the name in the document  
is assumed to have the authority to do so.



The wot is a different thing. It grants no authority and has no  
inherent rights. The only thing it attempts to guarantee is that the  
real person who is in the wot is the person who is responsible for  
signing the releases.



The primary way the Apache wot is increased is at signing parties  
usually but not necessarily conducted during ApacheCons. A signing  
party can be held any time as long as there are two people who want  
to confirm each others' identity and add to the wot. At least one of  
the people at the signing party is already a member of the wot. If  
only one, then the wot created at the party is connected to the  
Apache wot via one or more "strands of trust" (I made that up).


Craig

On Oct 28, 2007, at 12:57 AM, Niclas Hedhman wrote:


On Sunday 28 October 2007 06:24, Noel J. Bergman wrote:

Perhaps

we should add some information on getting into the Web of Trust,  
although

that is really a general committer item, not Incubator specific.



I am not very security fluent, and perhaps someone could explain to  
me;



What is the difference of being an Apache committer/Member with the  
*signed*
ICLA, which indeed is a legal document, and that other ASF folks  
has seen

your driver's license (et al) and signed you into the web of trust?


From my perspective, the latter is not legally binding and at the  
most act as

some form of "someone has identified it to be a real person with that
name"...


FWIW, I think ASF should increase the efforts in the ASF Web of  
Trust, both
getting more people engaged (like myself, I can't figure out the  
practical
details on how to go about it) as well as tooling support for  
verifications.



Cheers
Niclas

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:[EMAIL PROTECTED]
P.S. A good JDO? O, Gasp!




Attachment:
smime.p7s

Description: S/MIME cryptographic signature

























					Reply via email to