I’m available tomorrow 7/24/2014 7am-4pm Pacific (2pm-10pm UTC). Clay
On Jul 23, 2014, at 12:58 PM, Vincent Hennebert <vhenneb...@gmail.com> wrote: > as you are probably aware Apache releases must be signed. I do have > a code-signing key but, because of the weaknesses found in SHA-1 [1], it > is now obsolete. So I created a new, stronger one, and I now have to add > it to the web of trust. > > See [2] for explanations about the web of trust. In short, this is a way > to ensure that a key actually belongs to the person it claims, without > having met that person. That allows to increase your confidence that > a signed artefact you are downloading has not been tampered with and was > created by the right people. For a graphical representation of the web > of trust at Apache, see here: > http://people.apache.org/~henkp/trust/apache.html > > In order to build a web of trust I thought that maybe we could organise > a virtual key signing party, over Skype or Google Hangout, among the XML > Graphics committers. > > It’s fairly simple and quite fun. You have to send me beforehand the > public fingerprint of your key. It can be generated e.g. like this: > $ gpg --fingerprint vhennebert > pub 4096R/72FA275A 2014-07-22 > Key fingerprint = 492F E32D 853F 1081 FF58 66F5 EF6D 31C7 72FA 275A > > During the signing party, we will check that all the fingerprints are > correct. Then, each of us will show their ID at the webcam, for others > to check they are talking to the right person. > > And that’s it. After the meeting, each of us can download the others’ > keys from a key server, check that the fingerprint matches what was > presented during the party (this is important!), sign and upload the > key. See [3] for more details. > > If you don’t have a PGP key, now is the time to create one. The > following document is full of details about PGP, how it works, how it is > used at Apache, how to create a key, etc. > http://www.apache.org/dev/release-signing.html > > If you do have a key but it is a DSA key or a 1024 bit RSA key, then you > need to switch to a stronger key (this is my case). See here for more > info: > http://www.apache.org/dev/key-transition.html > > So, who’s up for it? Please give your availabilities in an answer to this > message. If you have it already, you may also want to include your > public key fingerprint. > > As for myself, I would be available on working days during the next > 2 weeks, between 7am UTC and 8pm UTC. > > Thanks, > Vincent > > > [1] For more details, see > http://www.apache.org/dev/release-signing.html#note > [2] http://www.apache.org/dev/release-signing.html#web-of-trust > [3] > http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: general-h...@xmlgraphics.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: general-h...@xmlgraphics.apache.org
