Something else that needs to be considered is what happens if someone's private key in the web of trust gets compromised? Once compromised. malicious releases could get re-rolled, and deployed.
I think GPG would be good to validate an initial dependency/checksum for an artifact, but after that future builds should validate against the artifact checksum. Regards, Hiram On Mon, Sep 15, 2008 at 2:00 PM, Robert Burrell Donkin <[EMAIL PROTECTED]> wrote: > On Mon, Sep 15, 2008 at 3:40 PM, William A. Rowe, Jr. > <[EMAIL PROTECTED]> wrote: >> Brett Porter wrote: >>> >>> For the releases to be identified as from the incubator, they'll need to >>> be >>> signed solely by "the incubator". Did you want to elaborate on how you >>> anticipated that set up working? >> >> With PGP it's a web of trust. Any ASF-role key would never be used to sign >> any artifact. Ideally, ASF-key would sign incubator key, incubator key >> would sign Jane's key, Jane would RM and sign with her own key, and the web >> of trust satisfies the trust requirement. > > i think that this approach would require a shadow web for incubator keys > > suppose: > > alice is an apache committer > alice has key K which is commented "APACHE CODE SIGNING KEY" > alice is elected release manager for incubator podling P > alice would need to create a new key S which is commented "INCUBATOR > RELEASES ONLY" > alice adds S to an incubator KEYS document > > then alice should ensure that S (not K) is the only key used to sign > the release for P > > - robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
