On Tue, 2016-07-26 at 09:19 +0200, Thorsten Schöning wrote: > Hi all, > > the docs about release management for incubating projects make clear > that the release needs to be signed[1] and in the end associated with > the project AND the WOT of Apache in general[2].
I don't like that term "the WOT of Apache in general", with its implied suggestion that an Apache WoT might differ from AN Other. Even if a private Apache WoT were a reality, how would that help our users verify our releases? Surely the WoT we should be concerned with is the Strong Set that unifies Geekdom at large. Yes, also the project's KEYS and id.apache.org, but that's a separate issue to the WoT! In terms of instructions I can't improve on Mark's reply. I would add that it's not entirely unprecedented to sign a release with a key that can't be verified in the Strong Set, but you should make all efforts to avoid that. A key that can't be verified adds no more security than an MD5 checksum. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
