Is it just me, or don't we have a policy that all software distributions should be PGP/GPG or equivalently signed with the release manager's key? 8-)+1
Admittedly, plus points to Forrest and Xindice since they've already moved their distributions to the mirroring system at www.apache.org/dist/xml/[subproject]. But I'd really like to see future releases also get signed before they're put on the distro site.
But we also need to work on getting our keyrings / web of trust built out. If people are at ApacheCon it will help. Also, if people can sign keys of people that they know when they see them face to face, that will help as well.
There are now good tools for doing GPG (as well as PGP Freeware) on Windows -- Look at the Enigmail plugin to Mozilla and Thunderbird as an example. That's why you'll be seeing more signed messages from me on "official" matters...
Ted
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
