On Sat, 2009-10-03 at 16:43 +0800, Niclas Hedhman wrote: > On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner <lind...@inuus.com> wrote: > > Hi, > > Over in the shindig podling we've been working on our 1.1 release. During > > the voting process it was mentioned that my gpg key is not part of the > > apache web of trust. > > > > * We have the +1s for shindig-1.1-BETA3, does this signature problem > > disqualify the release? > > IMHO, No it doesn't. What you should ensure is that the key used for > the signing is both committed to the SVN, uploaded to pgp.mit.edu (and > other if possible) and that the finger print is published on the > official website. > > > * I'd appreciate any/all help getting my gpg key signed by the proper people > > so we can get a release out asap -- this 1.1 release has been a long time > > coming. Once we get over this hurdle we feel we'll be close to graduating. > > Cross-signing of keys should happen in person, where identity can be > ensured. If there are people you know really well, a phone call where > the other part can recognize your voice, preferably being the one > calling you up on a well-known phone number, to transfer the > fingerprint info...
Ensure that some of you get to ApacheCon. I don't believe it is too far away from you. Worst case, you might be able to get some folks there to sign your key even if you don't attend the actual conference itself. Does it disqualify this release? No. The signed key is to validate authenticity of an Apache release. Right now, I'd say we're more concerned about the podling being able to produce decent releases. So long as the release has all the bits in the right places, that is enough. However, getting keys signed is a good thing to do in preparation for ongoing (esp post graduation) releases. Upayavira --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org