On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater <nsla...@tumbolia.org> wrote: > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <bimargul...@gmail.com>wrote: > >> >> There's another side to this, which I would derisively label, 'so >> what'? How does it help a user to see that my key is signed by 27 of >> my fellow Apache contributors, if the user has never met any of us, >> and has never met anyone who has met any of us, etc, etc. In other >> words, the Web of Trust only helps users (very much) if they are >> active participants, and likely to have trust links that reach ASF >> release managers. >> >> In my opinion, that's vanishingly unlikely, and so the best we can do >> is to allow users to verify that the signature was, in fact, made by >> the 'Apache hat' that it claimed to be made by. Using the keys in >> KEYS, or the fingerprints from LDAP, seems the best they can do. >> > > To me, this seems like an outright dismissal of the web of trust because it > is "unlikely." Which it is sure to be if everyone dismisses it. You're > right in so much as not a lot of people care. But for the people that do > care, it is very important, and works just great. (Note, I am not one of > those people, though I am "in" the web of trust having been involved in > Debian, which takes it very seriously.) If you are the sort of person who > has a GPG key and get's it signed, then the chances are that you can > establish trust with an RM that does the same.
I've been watching PGP from its birth, and I've seen very little evidence of the web of trust growing from geeks like us to the sort of people who download and install Tomcat. If you can offer some counterevidence, I'm all eyes. My personal enthusiasm is for all Apache projects to share a clear recipe for their users to verify downloads. That recipe should work for *every user* and *every release manager*. > > -- > NS --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
