On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater <nsla...@tumbolia.org> wrote: > Perhaps not Tomcat, but the entire Foundation and all of it's current and > future projects should be under consideration here. The long and short of > it is that key signing can't hurt. And a key signing guide certainly can't > hurt. RMs should feel free to do this, if they are interested in it, and > users who care about it can take advantage of it, if it interests them. I > certainly wouldn't want to think that we mandate anything. (You know you > can't be a Debian developer until you have your key signed by another > Debian developer? That set me back months. I'm something of a recluse!)
I'm absolutely not opposed to key signing. I am somewhat opposed to presenting 'look at the signature(s)' as a very prominent verification options on a page aimed at users. I am very much in favor of streamlining and describing alternatives that avoid the need for the user to be a WoT participant, such as taking advantage of KEYS files and the like. > > On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies > <bimargul...@gmail.com>wrote: > >> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater <nsla...@tumbolia.org> wrote: >> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <bimargul...@gmail.com >> >wrote: >> > >> >> >> >> There's another side to this, which I would derisively label, 'so >> >> what'? How does it help a user to see that my key is signed by 27 of >> >> my fellow Apache contributors, if the user has never met any of us, >> >> and has never met anyone who has met any of us, etc, etc. In other >> >> words, the Web of Trust only helps users (very much) if they are >> >> active participants, and likely to have trust links that reach ASF >> >> release managers. >> >> >> >> In my opinion, that's vanishingly unlikely, and so the best we can do >> >> is to allow users to verify that the signature was, in fact, made by >> >> the 'Apache hat' that it claimed to be made by. Using the keys in >> >> KEYS, or the fingerprints from LDAP, seems the best they can do. >> >> >> > >> > To me, this seems like an outright dismissal of the web of trust because >> it >> > is "unlikely." Which it is sure to be if everyone dismisses it. You're >> > right in so much as not a lot of people care. But for the people that do >> > care, it is very important, and works just great. (Note, I am not one of >> > those people, though I am "in" the web of trust having been involved in >> > Debian, which takes it very seriously.) If you are the sort of person who >> > has a GPG key and get's it signed, then the chances are that you can >> > establish trust with an RM that does the same. >> >> I've been watching PGP from its birth, and I've seen very little >> evidence of the web of trust growing from geeks like us to the sort of >> people who download and install Tomcat. If you can offer some >> counterevidence, I'm all eyes. >> >> My personal enthusiasm is for all Apache projects to share a clear >> recipe for their users to verify downloads. That recipe should work >> for *every user* and *every release manager*. >> >> >> > >> > -- >> > NS >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> >> > > > -- > NS --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
