IMHO the main practical issue is that apache committers are on five continents. i've never met any other committers in person. getting all release managers together in a room where everyone can sign everyone else'
s (code signing) key is never going to happen.
At the risk of dragging this out...
I agree, but is it necessarily that complicated? I think the issue for PGP/GPG keys in this case is not one of identity but one of authority. Nobody really cares which Berin Lautenbach I am (I am sure there are others in the world :>). However they do care that the archive I have signed is an authorised Apache distribution. Thus the idea in the original e-mail that maybe the contributors agreement could have a PGP fingerprint attached, which would link me back to the legal agreement I have signed with Apache. Then if my key is signed and placed in the "Apache keyring" it is done so under the banner of the legal entity called Apache Software Foundation, rather than as an acknowledgement that someone has seen my passport.
Not necessarily any need for me to have met anyone, and *very* simply to implement, as most of the processes already exist. (Mind you, would still be nice to authenticate identity as well.)
That to me makes more sense, because trust, in the Apache community, is on the basis of my history of actions as a developer, not on the basis of my identity.
Cheers, Berin
--------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
