G'day Shane, > Shane Curcuru wrote
> Let's make sure we keep this focused on the basics. I don't think we have > the need or resources to setup our own PGP keyserver; there are plenty > already out there (http://pgpkeys.mit.edu/ seems popular with > Apacheites). Plus I think infrastructure@ and others are already working > on secure ways to get KEYS files directly from an ASF machine securely, > which will solve the trusted distribution of keys problem. > So exactly what is the aim of the game here? Happy to agree that a keyserver may be over the top, but a mechanism that conveys an Apache keyring to end users of Apache software would surely have to be a good thing? If we are serious about secure software distribution (and I think we are, given we are taking the trouble to sign the releases in the first place), then surely we should also be serious about how we extend that security into user-land. I'd also be interested in what you mean by "a secure ways to get KEYS files directly from an ASF machine"? Surely a key is either in the web of trust (whatever that means to us) or not. The fact is resides on an ASF machine doesn't necessarily mean that we should put a high degree of trust in it. BTW - That's not in any way having a go at the security of ASF machines. That's simply saying that you are basing the trust you place on a cryptographic key on the security of a password. Seems a bit contradictory? Or have I read the whole thing wrong :>. > One thing we do need is more prominently published how-tos for using PGP > (or GPG, or older or newer versions of PGP, all of which are different) > both for signing and verifying. There are a number of snippets on various > download pages, and a couple of sites on the web with descriptions, but > it'd be nice to have more details specifically for both committers and users. Absolutely agree! I'd also say the how-to should extend to a minimum set of requirements we would like to see in place before a key is signed. Cheers, Berin This message was sent through MyMail http://www.mymail.com.au --------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
