> ---- Ted Leung wrote: ----
> As promised, here's a list of work items for the PMC
> ...
> o Encourage projects to start using the ASF mirroriing guidelines
This is important; as Ted mentioned, to the ASF itself as well as to the projects. We need an early adopter to spearhead the effort to both get their project migrated properly, and then to make sure the existing 'how-to' pages that infrastructure@ and the jakarta folks have already setup are clear enough for everyone to follow. (Don't forget us Windoz folks as well!) -sc
> ---- Ted Leung wrote: ---- > o Encourage PGP signing of releases and improvement of the PGP web of > trust > ---- <[EMAIL PROTECTED]> wrote: ----
An interesting area. We can do all sorts of things to improve useage of PGP (provide deb keyring, PGP keyserver for Apache keys etc.), but the process of linking a key to a user would need to be better performed for it to be truly useful. Or is the feeling that just having CVS commit is enough to validate a key?
The ideal (thinking aloud) might be to have people put a PGP fingerprint on their CLA - that way in the event of password compromise etc. we have a linkage of a key back to a signed form to indicate we are talking to who we think we are.
Creating a key-server also allows users of software to go to a "trusted" source to validate a signing key for a distribution should they so desire.
Let's make sure we keep this focused on the basics. I don't think we have the need or resources to setup our own PGP keyserver; there are plenty already out there (http://pgpkeys.mit.edu/ seems popular with Apacheites). Plus I think infrastructure@ and others are already working on secure ways to get KEYS files directly from an ASF machine securely, which will solve the trusted distribution of keys problem.
And currently, we effectively only have individual webs-of-trust between people with PGP keys who are committers. Not optimal, but the easiest thing to do to start with. Essentially, we're providing users with individual signatures that show the build they get was created by such-and-such PGP keyowner, who presumably is also a committer. It's currently up to the user to verify that they're comfortable enough to use the software then.
Unfortunately xml and jakarta folks don't seem to be as well-cross-signed with the httpd etc. crowd yet. I tried to get some keysigning done at the last ApacheCon, but I'm sure I missed people. I'd urge xml folks to volunteer to sign each other's keys if you've met any other xml (or jakarta, etc) folks personally. The bigger and more connected the web-of-trust, the more useful it typically is.
One thing we do need is more prominently published how-tos for using PGP (or GPG, or older or newer versions of PGP, all of which are different) both for signing and verifying. There are a number of snippets on various download pages, and a couple of sites on the web with descriptions, but it'd be nice to have more details specifically for both committers and users.
- Shane
--------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
