Re: RAT issues [was: Re: [VOTE] JSPWiki version 2.9.0-incubating]

[Craig L Russell]

On Oct 8, 2012, at 3:59 PM, Juan Pablo Santos Rodríguez wrote:


Hello,

We've added support to generate RAT files (RAT report for RC3  
available at

[#1]) and began to play with it, via rat-ant-tasks [#2]. As noted in
previous e-mails, all the JSP files lack of a proper header. So, a  
couple

of questions:

- we pass the addLicenseHeaders argument to the report task. A lot  
of .new
files get generated with the appropiate header, but none of them  
correspond
to JSPs files. On the other hand the RAT report detects the missing  
header
in the JSP files. Is there any way to enforce the process for JSP  
files?


I'm not clear what you are saying here. If the rat addLicenseHeaders  
does not create .jsp files with the appropriate header, you may need  
to manually edit the .jsp files.


- we also have some .js files which come with their license header  
(i.e.:

mootools.js). RAT detects them as their header doesn't conform with AL
Header. In this case I assume we should ignore this files, is that ok?


If you review all of the files that have their own license header, you  
can then notate them. What rat does is report non-conforming files of  
all types.


Any files that are licensed under a non-Apache license need to be  
called out in the NOTICE and/or LICENSE files. There are many examples  
of such files in other projects. If you give specific file names, I  
can help you with what needs to be done to include them.


Craig


We've also made java files conform strictly with AL header, so the  
headers

issue should be solved once we get rid of the two points noted above.


thx in advance,
juan pablo

[#1]: http://people.apache.org/~juanpablo/rat_2.9.0_rc3.txt
[#2]: http://creadur.apache.org/rat/apache-rat-tasks/report.html

On Sun, Oct 7, 2012 at 11:53 PM, Craig L Russell
wrote:


Hi Christian,

Thanks for the review of the release.


On Oct 7, 2012, at 12:30 PM, Christian Grobmeier wrote:

Hello,


i'm sorry to -1 your release :-(

Please see:
http://www.apache.org/legal/**src-headers.html#headers




This is a very important document to read and understand. The jspwiki
headers are non-standard and should be rewritten to conform. In  
particular,
there should be no extraneous verbiage before the "Licensed to..."  
text. No

copyright, no other information.



I have found a lot of code like in the the src package
/src/webdocs/Captcha.jsp
which are missing header licenses. I saw it is in the .java files,  
but

they should be basically in every file we release (including jsp)



I agree, .jsp files need the Apache license header just as .java  
files do.




Also export.sh misses headers.

In the headers of the .java files is: JSPWiki - a JSP-based WikiWiki
clone.
Not sure if this is a blocker, but you should use the full name
"Apache JSPWiki" instead of only "JSPWiki". Personally I would get  
rid

of this line actually, but i think it is up to you.



Getting rid of the line is probably the easiest way to conform.



Example:
https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/**
jspwiki_2_9_0_incubating_rc3/**src/org/apache/catalina/util/**
HexUtils.java


I have not tested signatures yet.

In other projects sometimes the website is being voted on together
with the releases. Is it not the case with JSPWiki?



I don't know that I've ever voted on a web site release. Other  
projects

just update the web site as needed, with no vote.


On another note, I agree with Ross. Your mentors should have told  
you

that and they should have voted already.



This first release has been a long time coming, and I was  
distracted the

last couple of weeks.

I agree that the mentors should review the release and advise of  
remedial

action.

I'd like to see a rat report on the release. I believe that  
analysis of

the rat report will reinforce the comments that Christian and I made.

Regards,

Craig



Not sure if how the overall

situation on your daily project life is. If you feel that you would
need more mentor support, please write a separate e-mail to this  
list.
I have only looked at this e-mail as it was open for a couple of  
days

without much responses.

Best regards,
Christian

On Thu, Sep 27, 2012 at 8:11 PM, Juan Pablo Santos Rodríguez
 wrote:


Hi,

This is a call for a vote on releasing the following candidate as  
Apache

JSPWiki version 2.9.0-incubating.
This will be our first release. A vote was held on the developer  
mailing

list (http://s.apache.org/dzM) and
passed with 10 +1s (* denoting PPMC):

Janne Jalkannen*
Florian Holeczek*
Harry Metske*
Andrew Jaquith*
Dirk Frederickx*
Juan Pablo Santos Rodríguez*
Fabian Haupt
Michael Gerzabek
Christophe Dupriez
Roberto Venturi

We need at least 3 IPMC votes.

This release fixes the following issues:
https://issues.apache.org/**jira/secure/ReleaseNote.j

Re: jspwiki

[Jukka Zitting]

Hi,

On Sun, Oct 7, 2012 at 11:07 PM, Benson Margulies  wrote:
> We seem to have a problem here. I've pinged two of the mentors here
> chosen by people in my gmail 'to' cache; could we get some input?

JSPWiki has been troubled for quite some time. Earlier this year
(prompted by concerns raised by Sam) they discussed leaving the ASF as
one option due to lack of progress [1]. That proposal didn't reach
consensus, so a bit later a premature graduation attempt was made [2].
Meanwhile the project activity has remained pretty low compared to
what it was when the project entered incubation five(!) years ago.

There is still some energy in JSPWiki and I salute the efforts of Juan
Pablo and others who are keeping the project alive, but unfortunately
we aren't providing enough mentoring and other help to push the
community through incubation. Looking at jspwiki-dev@ I see only six
mentor posts since the beginning of this year.

I think JSPWiki still has the makings of a good Apache project, but
they clearly need more help. Any volunteers?

[1] http://markmail.org/message/etgsawr7mtjggppt
[2] http://markmail.org/message/bnkpzwdltlihce3k

BR,

Jukka Zitting

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RAT issues [was: Re: [VOTE] JSPWiki version 2.9.0-incubating]

[Juan Pablo Santos Rodríguez]

Hello,

We've added support to generate RAT files (RAT report for RC3 available at
[#1]) and began to play with it, via rat-ant-tasks [#2]. As noted in
previous e-mails, all the JSP files lack of a proper header. So, a couple
of questions:

- we pass the addLicenseHeaders argument to the report task. A lot of .new
files get generated with the appropiate header, but none of them correspond
to JSPs files. On the other hand the RAT report detects the missing header
in the JSP files. Is there any way to enforce the process for JSP files?

- we also have some .js files which come with their license header (i.e.:
mootools.js). RAT detects them as their header doesn't conform with AL
Header. In this case I assume we should ignore this files, is that ok?

We've also made java files conform strictly with AL header, so the headers
issue should be solved once we get rid of the two points noted above.


thx in advance,
juan pablo

[#1]: http://people.apache.org/~juanpablo/rat_2.9.0_rc3.txt
[#2]: http://creadur.apache.org/rat/apache-rat-tasks/report.html

On Sun, Oct 7, 2012 at 11:53 PM, Craig L Russell
wrote:

> Hi Christian,
>
> Thanks for the review of the release.
>
>
> On Oct 7, 2012, at 12:30 PM, Christian Grobmeier wrote:
>
>  Hello,
>>
>> i'm sorry to -1 your release :-(
>>
>> Please see:
>> http://www.apache.org/legal/**src-headers.html#headers
>>
>
> This is a very important document to read and understand. The jspwiki
> headers are non-standard and should be rewritten to conform. In particular,
> there should be no extraneous verbiage before the "Licensed to..." text. No
> copyright, no other information.
>
>
>> I have found a lot of code like in the the src package
>> /src/webdocs/Captcha.jsp
>> which are missing header licenses. I saw it is in the .java files, but
>> they should be basically in every file we release (including jsp)
>>
>
> I agree, .jsp files need the Apache license header just as .java files do.
>
>
>> Also export.sh misses headers.
>>
>> In the headers of the .java files is: JSPWiki - a JSP-based WikiWiki
>> clone.
>> Not sure if this is a blocker, but you should use the full name
>> "Apache JSPWiki" instead of only "JSPWiki". Personally I would get rid
>> of this line actually, but i think it is up to you.
>>
>
> Getting rid of the line is probably the easiest way to conform.
>
>
>> Example:
>> https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/**
>> jspwiki_2_9_0_incubating_rc3/**src/org/apache/catalina/util/**
>> HexUtils.java
>>
>> I have not tested signatures yet.
>>
>> In other projects sometimes the website is being voted on together
>> with the releases. Is it not the case with JSPWiki?
>>
>
> I don't know that I've ever voted on a web site release. Other projects
> just update the web site as needed, with no vote.
>
>
>> On another note, I agree with Ross. Your mentors should have told you
>> that and they should have voted already.
>>
>
> This first release has been a long time coming, and I was distracted the
> last couple of weeks.
>
> I agree that the mentors should review the release and advise of remedial
> action.
>
> I'd like to see a rat report on the release. I believe that analysis of
> the rat report will reinforce the comments that Christian and I made.
>
> Regards,
>
> Craig
>
>
>
>  Not sure if how the overall
>> situation on your daily project life is. If you feel that you would
>> need more mentor support, please write a separate e-mail to this list.
>> I have only looked at this e-mail as it was open for a couple of days
>> without much responses.
>>
>> Best regards,
>> Christian
>>
>> On Thu, Sep 27, 2012 at 8:11 PM, Juan Pablo Santos Rodríguez
>>  wrote:
>>
>>> Hi,
>>>
>>> This is a call for a vote on releasing the following candidate as Apache
>>> JSPWiki version 2.9.0-incubating.
>>> This will be our first release. A vote was held on the developer mailing
>>> list (http://s.apache.org/dzM) and
>>> passed with 10 +1s (* denoting PPMC):
>>>
>>> Janne Jalkannen*
>>> Florian Holeczek*
>>> Harry Metske*
>>> Andrew Jaquith*
>>> Dirk Frederickx*
>>> Juan Pablo Santos Rodríguez*
>>> Fabian Haupt
>>> Michael Gerzabek
>>> Christophe Dupriez
>>> Roberto Venturi
>>>
>>> We need at least 3 IPMC votes.
>>>
>>> This release fixes the following issues:
>>> https://issues.apache.org/**jira/secure/ReleaseNote.jspa?**
>>> projectId=12310732&version=**12319521
>>>
>>> Source and binary files:
>>> http://people.apache.org/~**jalkanen/JSPWiki/2.9.0/
>>>
>>> The tag to be voted upon:
>>> https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/**
>>> jspwiki_2_9_0_incubating_rc3

Re: key signing

[Noah Slater]

Found one... Just poking around manually...

J. Daniel Kulp 
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x858FC4C4F43856A3

Signed by Carsten Ziegeler 
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x132E49D4E41EDC7E

Signed by Marcus Crafter 
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x394D2FE3C4C57B42

And all Debian folk are connected, as per my pervious email. :)

There should be a tool for this!

On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies wrote:

> Let's try a little statistically-invalid experiment of sample size
> one. The last time I had a key signed at Apache, it was by Dan Kulp.
> Now, pretend that you are a suspicious user of one of the many Maven
> plugins releases that I RM. Can you reach Dan from yourself in the
> web? Is there anyone you, personally, trust who starts a chain that
> leads to him?
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>


-- 
NS

Re: key signing

[Noah Slater]

I don't know how to check that. Heh. Would be interested in giving it a
shot. Are there tools to look up graphs?

On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies wrote:

> Let's try a little statistically-invalid experiment of sample size
> one. The last time I had a key signed at Apache, it was by Dan Kulp.
> Now, pretend that you are a suspicious user of one of the many Maven
> plugins releases that I RM. Can you reach Dan from yourself in the
> web? Is there anyone you, personally, trust who starts a chain that
> leads to him?
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>


-- 
NS

Re: svn commit: r1395765 - in /incubator/public/trunk/content: clutch.txt podlings.xml projects/bigtop.xml report_due_3.txt

[David Crossley]

Please do not hand-edit the Clutch output files.

http://incubator.apache.org/clutch.html#h-Graduate
http://incubator.apache.org/guides/graduation.html#unincubate

If people do want to run the Clutch program, then
update content/podlings.xml file, then follow:
http://incubator.apache.org/clutch.html#notes

-David

r...@apache.org wrote:
> Author: rvs
> Date: Mon Oct  8 20:44:54 2012
> New Revision: 1395765
> 
> URL: http://svn.apache.org/viewvc?rev=1395765&view=rev
> Log:
> Bigtop graduated
> 
> Modified:
> incubator/public/trunk/content/clutch.txt
> incubator/public/trunk/content/podlings.xml
> incubator/public/trunk/content/projects/bigtop.xml
> incubator/public/trunk/content/report_due_3.txt
> 
> Modified: incubator/public/trunk/content/clutch.txt
> URL: 
> http://svn.apache.org/viewvc/incubator/public/trunk/content/clutch.txt?rev=1395765&r1=1395764&r2=1395765&view=diff
> ==
> --- incubator/public/trunk/content/clutch.txt (original)
> +++ incubator/public/trunk/content/clutch.txt Mon Oct  8 20:44:54 2012
> @@ -2,7 +2,6 @@
>  allura,"Allura","Incubator"
>  ambari,"Ambari","Incubator"
>  amber,"Amber","Shindig"
> -bigtop,"Bigtop","Incubator"
>  bloodhound,"Bloodhound","Incubator"
>  blur,"Blur","Incubator"
>  celix,"Celix","Incubator"
> 
> Modified: incubator/public/trunk/content/podlings.xml
> URL: 
> http://svn.apache.org/viewvc/incubator/public/trunk/content/podlings.xml?rev=1395765&r1=1395764&r2=1395765&view=diff
> ==
> --- incubator/public/trunk/content/podlings.xml [utf-8] (original)
> +++ incubator/public/trunk/content/podlings.xml [utf-8] Mon Oct  8 20:44:54 
> 2012
> @@ -180,7 +180,7 @@
>  Craig McClanahan
>  
>  
> - sponsor="Incubator" startdate="2011-06-20">
> + sponsor="Incubator" startdate="2011-06-20" enddate="2012-09-19">
>  Bigtop is a project for the development of packaging 
> and tests of the Hadoop ecosystem.
>  
>  
> 
> Modified: incubator/public/trunk/content/projects/bigtop.xml
> URL: 
> http://svn.apache.org/viewvc/incubator/public/trunk/content/projects/bigtop.xml?rev=1395765&r1=1395764&r2=1395765&view=diff
> ==
> --- incubator/public/trunk/content/projects/bigtop.xml [utf-8] (original)
> +++ incubator/public/trunk/content/projects/bigtop.xml [utf-8] Mon Oct  8 
> 20:44:54 2012
> @@ -18,6 +18,7 @@
>  
>News
>
> +2012-09-19 Apache Bigtop graduates from the Incbuator.
>  2012-08-20 0.4.0-incubating released!
>  2012-03-30 New Committer: Stephen Chu
>  2012-04-12 0.3.0-incubating released!
> 
> Modified: incubator/public/trunk/content/report_due_3.txt
> URL: 
> http://svn.apache.org/viewvc/incubator/public/trunk/content/report_due_3.txt?rev=1395765&r1=1395764&r2=1395765&view=diff
> ==
> --- incubator/public/trunk/content/report_due_3.txt (original)
> +++ incubator/public/trunk/content/report_due_3.txt Mon Oct  8 20:44:54 2012
> @@ -1,5 +1,4 @@
>  "Allura Developers" 
> -"Bigtop Developers" 
>  "Bloodhound Developers" 
>  "Blur Developers" 
>  "Cordova Developers" 
> 
> 
> 
> -
> To unsubscribe, e-mail: cvs-unsubscr...@incubator.apache.org
> For additional commands, e-mail: cvs-h...@incubator.apache.org
> 

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Benson Margulies]

Let's try a little statistically-invalid experiment of sample size
one. The last time I had a key signed at Apache, it was by Dan Kulp.
Now, pretend that you are a suspicious user of one of the many Maven
plugins releases that I RM. Can you reach Dan from yourself in the
web? Is there anyone you, personally, trust who starts a chain that
leads to him?

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Benson Margulies]

On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater  wrote:
> Perhaps not Tomcat, but the entire Foundation and all of it's current and
> future projects should be under consideration here. The long and short of
> it is that key signing can't hurt. And a key signing guide certainly can't
> hurt. RMs should feel free to do this, if they are interested in it, and
> users who care about it can take advantage of it, if it interests them. I
> certainly wouldn't want to think that we mandate anything. (You know you
> can't be a Debian developer until you have your key signed by another
> Debian developer? That set me back months. I'm something of a recluse!)

I'm absolutely not opposed to key signing.

I am somewhat opposed to presenting 'look at the signature(s)' as a
very prominent verification options on a page aimed at users.

I am very much in favor of streamlining and describing alternatives
that avoid the need for the user to be a WoT participant, such as
taking advantage of KEYS files and the like.





>
> On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies 
> wrote:
>
>> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater  wrote:
>> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies > >wrote:
>> >
>> >>
>> >> There's another side to this, which I would derisively label, 'so
>> >> what'? How does it help a user to see that my key is signed by 27 of
>> >> my fellow Apache contributors, if the user has never met any of us,
>> >> and has never met anyone who has met any of us, etc, etc. In other
>> >> words, the Web of Trust only helps users (very much) if they are
>> >> active participants, and likely to have trust links that reach ASF
>> >> release managers.
>> >>
>> >> In my opinion, that's vanishingly unlikely, and so the best we can do
>> >> is to allow users to verify that the signature was, in fact, made by
>> >> the 'Apache hat' that it claimed to be made by. Using the keys in
>> >> KEYS, or the fingerprints from LDAP, seems the best they can do.
>> >>
>> >
>> > To me, this seems like an outright dismissal of the web of trust because
>> it
>> > is "unlikely." Which it is sure to be if everyone dismisses it. You're
>> > right in so much as not a lot of people care. But for the people that do
>> > care, it is very important, and works just great. (Note, I am not one of
>> > those people, though I am "in" the web of trust having been involved in
>> > Debian, which takes it very seriously.) If you are the sort of person who
>> > has a GPG key and get's it signed, then the chances are that you can
>> > establish trust with an RM that does the same.
>>
>> I've been watching PGP from its birth, and I've seen very little
>> evidence of the web of trust growing from geeks like us to the sort of
>> people who download and install Tomcat. If you can offer some
>> counterevidence, I'm all eyes.
>>
>> My personal enthusiasm is for all Apache projects to share a clear
>> recipe for their users to verify downloads. That recipe should work
>> for *every user* and *every release manager*.
>>
>>
>> >
>> > --
>> > NS
>>
>> -
>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>> For additional commands, e-mail: general-h...@incubator.apache.org
>>
>>
>
>
> --
> NS

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Noah Slater]

Caveat: But I do think that if we do have a key signing guide (and I think
we should) then it should be strict about our standards. (i.e. when and
when not to sign somebody's key. Basic QA on what sort of "trust" we're
trying to build here.)

On Mon, Oct 8, 2012 at 11:15 PM, Noah Slater  wrote:

> Perhaps not Tomcat, but the entire Foundation and all of it's current and
> future projects should be under consideration here. The long and short of
> it is that key signing can't hurt. And a key signing guide certainly can't
> hurt. RMs should feel free to do this, if they are interested in it, and
> users who care about it can take advantage of it, if it interests them. I
> certainly wouldn't want to think that we mandate anything. (You know you
> can't be a Debian developer until you have your key signed by another
> Debian developer? That set me back months. I'm something of a recluse!)
>
>
> On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies 
> wrote:
>
>> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater  wrote:
>> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies > >wrote:
>> >
>> >>
>> >> There's another side to this, which I would derisively label, 'so
>> >> what'? How does it help a user to see that my key is signed by 27 of
>> >> my fellow Apache contributors, if the user has never met any of us,
>> >> and has never met anyone who has met any of us, etc, etc. In other
>> >> words, the Web of Trust only helps users (very much) if they are
>> >> active participants, and likely to have trust links that reach ASF
>> >> release managers.
>> >>
>> >> In my opinion, that's vanishingly unlikely, and so the best we can do
>> >> is to allow users to verify that the signature was, in fact, made by
>> >> the 'Apache hat' that it claimed to be made by. Using the keys in
>> >> KEYS, or the fingerprints from LDAP, seems the best they can do.
>> >>
>> >
>> > To me, this seems like an outright dismissal of the web of trust
>> because it
>> > is "unlikely." Which it is sure to be if everyone dismisses it. You're
>> > right in so much as not a lot of people care. But for the people that do
>> > care, it is very important, and works just great. (Note, I am not one of
>> > those people, though I am "in" the web of trust having been involved in
>> > Debian, which takes it very seriously.) If you are the sort of person
>> who
>> > has a GPG key and get's it signed, then the chances are that you can
>> > establish trust with an RM that does the same.
>>
>> I've been watching PGP from its birth, and I've seen very little
>> evidence of the web of trust growing from geeks like us to the sort of
>> people who download and install Tomcat. If you can offer some
>> counterevidence, I'm all eyes.
>>
>> My personal enthusiasm is for all Apache projects to share a clear
>> recipe for their users to verify downloads. That recipe should work
>> for *every user* and *every release manager*.
>>
>>
>> >
>> > --
>> > NS
>>
>> -
>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>> For additional commands, e-mail: general-h...@incubator.apache.org
>>
>>
>
>
> --
> NS
>



-- 
NS

Re: key signing

[Noah Slater]

Perhaps not Tomcat, but the entire Foundation and all of it's current and
future projects should be under consideration here. The long and short of
it is that key signing can't hurt. And a key signing guide certainly can't
hurt. RMs should feel free to do this, if they are interested in it, and
users who care about it can take advantage of it, if it interests them. I
certainly wouldn't want to think that we mandate anything. (You know you
can't be a Debian developer until you have your key signed by another
Debian developer? That set me back months. I'm something of a recluse!)

On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies wrote:

> On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater  wrote:
> > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies  >wrote:
> >
> >>
> >> There's another side to this, which I would derisively label, 'so
> >> what'? How does it help a user to see that my key is signed by 27 of
> >> my fellow Apache contributors, if the user has never met any of us,
> >> and has never met anyone who has met any of us, etc, etc. In other
> >> words, the Web of Trust only helps users (very much) if they are
> >> active participants, and likely to have trust links that reach ASF
> >> release managers.
> >>
> >> In my opinion, that's vanishingly unlikely, and so the best we can do
> >> is to allow users to verify that the signature was, in fact, made by
> >> the 'Apache hat' that it claimed to be made by. Using the keys in
> >> KEYS, or the fingerprints from LDAP, seems the best they can do.
> >>
> >
> > To me, this seems like an outright dismissal of the web of trust because
> it
> > is "unlikely." Which it is sure to be if everyone dismisses it. You're
> > right in so much as not a lot of people care. But for the people that do
> > care, it is very important, and works just great. (Note, I am not one of
> > those people, though I am "in" the web of trust having been involved in
> > Debian, which takes it very seriously.) If you are the sort of person who
> > has a GPG key and get's it signed, then the chances are that you can
> > establish trust with an RM that does the same.
>
> I've been watching PGP from its birth, and I've seen very little
> evidence of the web of trust growing from geeks like us to the sort of
> people who download and install Tomcat. If you can offer some
> counterevidence, I'm all eyes.
>
> My personal enthusiasm is for all Apache projects to share a clear
> recipe for their users to verify downloads. That recipe should work
> for *every user* and *every release manager*.
>
>
> >
> > --
> > NS
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>


-- 
NS

Re: key signing

[Benson Margulies]

On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater  wrote:
> On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote:
>
>>
>> There's another side to this, which I would derisively label, 'so
>> what'? How does it help a user to see that my key is signed by 27 of
>> my fellow Apache contributors, if the user has never met any of us,
>> and has never met anyone who has met any of us, etc, etc. In other
>> words, the Web of Trust only helps users (very much) if they are
>> active participants, and likely to have trust links that reach ASF
>> release managers.
>>
>> In my opinion, that's vanishingly unlikely, and so the best we can do
>> is to allow users to verify that the signature was, in fact, made by
>> the 'Apache hat' that it claimed to be made by. Using the keys in
>> KEYS, or the fingerprints from LDAP, seems the best they can do.
>>
>
> To me, this seems like an outright dismissal of the web of trust because it
> is "unlikely." Which it is sure to be if everyone dismisses it. You're
> right in so much as not a lot of people care. But for the people that do
> care, it is very important, and works just great. (Note, I am not one of
> those people, though I am "in" the web of trust having been involved in
> Debian, which takes it very seriously.) If you are the sort of person who
> has a GPG key and get's it signed, then the chances are that you can
> establish trust with an RM that does the same.

I've been watching PGP from its birth, and I've seen very little
evidence of the web of trust growing from geeks like us to the sort of
people who download and install Tomcat. If you can offer some
counterevidence, I'm all eyes.

My personal enthusiasm is for all Apache projects to share a clear
recipe for their users to verify downloads. That recipe should work
for *every user* and *every release manager*.


>
> --
> NS

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Noah Slater]

This is an important point.

Debian has a complete toolset and guidelines for managing this.

http://www.debian.org/events/keysigning

To quote:

People should only sign a key under at least two conditions:



1. The key owner convinces the signer that the identity in the UID is
> indeed their own identity by whatever evidence the signer is willing to
> accept as convincing. Usually this means the key owner must present a
> government issued ID with a picture and information that match up with the
> key owner. (Some signers know that government issued ID's are easily forged
> and that the trustability of the issuing authorities is often suspect and
> so they may require additional and/or alternative evidence of identity).



2. The key owner verifies that the fingerprint and the length of the key
> about to be signed is indeed their own.


How would you do this via Skype?

If we don't take this seriously, how can we expect other people to take our
keys seriously?

(Debian also has a few tools to help automate this stuff. See above link.)

If we're going to adopt a key signing model, we should strongly consider
basing it on Debian's.

On Mon, Oct 8, 2012 at 9:45 PM, Ted Dunning  wrote:

> On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey  >wrote:
>
> > On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej  wrote:
> >
> > > It says clearly, "as long as you can guarantee that you are
> > > communicating with the key's true owner." Which was exactly my point.
> >
> > I assert a "virtual key-signing party" protocol incorportating Google
> Plus
> > Hangouts could offer comparable assurances to a face-to-face key signing
> > party.  I speculate that such a protocol would utilize the "Hangouts On
> > Air"[1] feature which archives the hangout video directly to YouTube,
> along
> > with possibly mailing list interaction and commits to ASF version control
> > to
> > achieve a layered approach a la multi-factor authentication.  Arguably,
> > having
> > archived video would make the virtual protocol _stronger_ than
> > face-to-face.
> >
> > Whether such an initiative would be worth the effort is a different
> > question,
> > but video conferencing should not be dismissed out-of-hand as a tool for
> > helping to associate a key with the key's true owner.
> >
> > [1] http://www.google.com/+/learnmore/hangouts/onair.html
> >
> >
> I think that Branko may have been thinking text messages when the word
> skype came up.  Video conferencing is at least as good as voice and, as you
> say, with archiving can be pretty powerful.  To my mind, though, there is
> definitely something nice about having somebody's passport in your hand and
> pretending you know what to look for to spot a fake.
>



-- 
NS

Re: key signing

[Noah Slater]

On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote:

>
> There's another side to this, which I would derisively label, 'so
> what'? How does it help a user to see that my key is signed by 27 of
> my fellow Apache contributors, if the user has never met any of us,
> and has never met anyone who has met any of us, etc, etc. In other
> words, the Web of Trust only helps users (very much) if they are
> active participants, and likely to have trust links that reach ASF
> release managers.
>
> In my opinion, that's vanishingly unlikely, and so the best we can do
> is to allow users to verify that the signature was, in fact, made by
> the 'Apache hat' that it claimed to be made by. Using the keys in
> KEYS, or the fingerprints from LDAP, seems the best they can do.
>

To me, this seems like an outright dismissal of the web of trust because it
is "unlikely." Which it is sure to be if everyone dismisses it. You're
right in so much as not a lot of people care. But for the people that do
care, it is very important, and works just great. (Note, I am not one of
those people, though I am "in" the web of trust having been involved in
Debian, which takes it very seriously.) If you are the sort of person who
has a GPG key and get's it signed, then the chances are that you can
establish trust with an RM that does the same.

-- 
NS

Re: key signing

[Ted Dunning]

On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey wrote:

> On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej  wrote:
>
> > It says clearly, "as long as you can guarantee that you are
> > communicating with the key's true owner." Which was exactly my point.
>
> I assert a "virtual key-signing party" protocol incorportating Google Plus
> Hangouts could offer comparable assurances to a face-to-face key signing
> party.  I speculate that such a protocol would utilize the "Hangouts On
> Air"[1] feature which archives the hangout video directly to YouTube, along
> with possibly mailing list interaction and commits to ASF version control
> to
> achieve a layered approach a la multi-factor authentication.  Arguably,
> having
> archived video would make the virtual protocol _stronger_ than
> face-to-face.
>
> Whether such an initiative would be worth the effort is a different
> question,
> but video conferencing should not be dismissed out-of-hand as a tool for
> helping to associate a key with the key's true owner.
>
> [1] http://www.google.com/+/learnmore/hangouts/onair.html
>
>
I think that Branko may have been thinking text messages when the word
skype came up.  Video conferencing is at least as good as voice and, as you
say, with archiving can be pretty powerful.  To my mind, though, there is
definitely something nice about having somebody's passport in your hand and
pretending you know what to look for to spot a fake.

Re: key signing

[Marvin Humphrey]

On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej  wrote:

> It says clearly, "as long as you can guarantee that you are
> communicating with the key's true owner." Which was exactly my point.

I assert a "virtual key-signing party" protocol incorportating Google Plus
Hangouts could offer comparable assurances to a face-to-face key signing
party.  I speculate that such a protocol would utilize the "Hangouts On
Air"[1] feature which archives the hangout video directly to YouTube, along
with possibly mailing list interaction and commits to ASF version control to
achieve a layered approach a la multi-factor authentication.  Arguably, having
archived video would make the virtual protocol _stronger_ than face-to-face.

Whether such an initiative would be worth the effort is a different question,
but video conferencing should not be dismissed out-of-hand as a tool for
helping to associate a key with the key's true owner.

[1] http://www.google.com/+/learnmore/hangouts/onair.html

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Ted Dunning]

On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote:

> On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey 
> wrote:
> >> ...
> >> In this respect e-mail is just as secure, so why don't we all just sign
> >> keys because someone claiming to be from from Chad sent us a mail asking
> >> us for a signature?
> >>
> >> Really.
> >
> > Is it your position that this excerpt from the GnuPG docs is wrong?
> >
> > This may be done in person or over the phone or through any other
> > means as long as you can guarantee that you are communicating with
> > the key's true owner.
>
>
> There's another side to this, which I would derisively label, 'so
> what'? How does it help a user to see that my key is signed by 27 of
> my fellow Apache contributors, if the user has never met any of us,
> and has never met anyone who has met any of us, etc, etc. In other
> words, the Web of Trust only helps users (very much) if they are
> active participants, and likely to have trust links that reach ASF
> release managers.
>
> In my opinion, that's vanishingly unlikely, and so the best we can do
> is to allow users to verify that the signature was, in fact, made by
> the 'Apache hat' that it claimed to be made by. Using the keys in
> KEYS, or the fingerprints from LDAP, seems the best they can do.
>

Folks who care about the Gnu web of trust will probably be hooked back into
the Linux committers network.  There are definitely connections from their
to the Apache community.  Thus, if the Apache community becomes completely
connected from a trust perspective, it is likely that there will be a short
path back to anybody connected into the Linux community.

I could be just such a link.  I had my (non-Apache) key signed at Buzzwords
last year and if I were to use that key for Apache work, we would have the
requisite link.

Re: key signing

[Benson Margulies]

On Mon, Oct 8, 2012 at 12:47 PM, Dennis E. Hamilton  wrote:
> I don't understand what "keys from LDAP" are?
>
> Are these the same as keys whose fingerprints a ASF committer registers in 
> their account or something else?

Yes. Sorry for the foggy phraseology.


>
>  - Dennis
>
> -Original Message-
> From: Benson Margulies [mailto:bimargul...@gmail.com]
> Sent: Monday, October 08, 2012 08:54
> To: general@incubator.apache.org
> Subject: Re: key signing
>
> [ ... ]
>
> In my opinion, that's vanishingly unlikely, and so the best we can do
> is to allow users to verify that the signature was, in fact, made by
> the 'Apache hat' that it claimed to be made by. Using the keys in
> KEYS, or the fingerprints from LDAP, seems the best they can do.
>
> [ ... ]
>
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: key signing

[Dennis E. Hamilton]

I don't understand what "keys from LDAP" are?

Are these the same as keys whose fingerprints a ASF committer registers in 
their account or something else?

 - Dennis

-Original Message-
From: Benson Margulies [mailto:bimargul...@gmail.com] 
Sent: Monday, October 08, 2012 08:54
To: general@incubator.apache.org
Subject: Re: key signing

[ ... ]

In my opinion, that's vanishingly unlikely, and so the best we can do
is to allow users to verify that the signature was, in fact, made by
the 'Apache hat' that it claimed to be made by. Using the keys in
KEYS, or the fingerprints from LDAP, seems the best they can do.

[ ... ]


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Benson Margulies]

On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey  wrote:
> On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej  wrote:
>> What guarantee do you have that a particular Skype ID is whoever you
>> think it is? None at all, unless the person involved looked at your
>> Skype contact list and said, yeah, that's me. Likewise for Google
>> Hangout. As long as they're doing that, they might as well verify the
>> signature fingerprint in your PGP keyring.
>>
>> In this respect e-mail is just as secure, so why don't we all just sign
>> keys because someone claiming to be from from Chad sent us a mail asking
>> us for a signature?
>>
>> Really.
>
> Is it your position that this excerpt from the GnuPG docs is wrong?
>
> This may be done in person or over the phone or through any other
> means as long as you can guarantee that you are communicating with
> the key's true owner.


There's another side to this, which I would derisively label, 'so
what'? How does it help a user to see that my key is signed by 27 of
my fellow Apache contributors, if the user has never met any of us,
and has never met anyone who has met any of us, etc, etc. In other
words, the Web of Trust only helps users (very much) if they are
active participants, and likely to have trust links that reach ASF
release managers.

In my opinion, that's vanishingly unlikely, and so the best we can do
is to allow users to verify that the signature was, in fact, made by
the 'Apache hat' that it claimed to be made by. Using the keys in
KEYS, or the fingerprints from LDAP, seems the best they can do.

>
> Marvin Humphr
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Branko Čibej]

On 08.10.2012 17:43, Marvin Humphrey wrote:
> On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej  wrote:
>> What guarantee do you have that a particular Skype ID is whoever you
>> think it is? None at all, unless the person involved looked at your
>> Skype contact list and said, yeah, that's me. Likewise for Google
>> Hangout. As long as they're doing that, they might as well verify the
>> signature fingerprint in your PGP keyring.
>>
>> In this respect e-mail is just as secure, so why don't we all just sign
>> keys because someone claiming to be from from Chad sent us a mail asking
>> us for a signature?
>>
>> Really.
> Is it your position that this excerpt from the GnuPG docs is wrong?
>
> This may be done in person or over the phone or through any other
> means as long as you can guarantee that you are communicating with
> the key's true owner.

It says clearly, "as long as you can guarantee that you are
communicating with the key's true owner." Which was exactly my point.

-- Brane


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

[Marvin Humphrey]

On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej  wrote:
> What guarantee do you have that a particular Skype ID is whoever you
> think it is? None at all, unless the person involved looked at your
> Skype contact list and said, yeah, that's me. Likewise for Google
> Hangout. As long as they're doing that, they might as well verify the
> signature fingerprint in your PGP keyring.
>
> In this respect e-mail is just as secure, so why don't we all just sign
> keys because someone claiming to be from from Chad sent us a mail asking
> us for a signature?
>
> Really.

Is it your position that this excerpt from the GnuPG docs is wrong?

This may be done in person or over the phone or through any other
means as long as you can guarantee that you are communicating with
the key's true owner.

Marvin Humphrey

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Allura name search - What next

[Rich Bowen]

Trademarks folks,


I've done a name search for 'Allura' and the results of that search are here:

https://issues.apache.org/jira/browse/PODLINGNAMESEARCH-15

Is there anything I still need to do in order to get the blessing of the 
Trademarks folks on using this name?

-- 
Rich Bowen
rbo...@rcbowen.com :: @rbowen
rbo...@apache.org

Re: key signing

[Branko Čibej]

On 08.10.2012 13:44, Franklin, Matthew B. wrote:
>> -Original Message-
>> From: Marvin Humphrey [mailto:mar...@rectangular.com]
>> Sent: Friday, October 05, 2012 8:54 PM
>> To: general@incubator.apache.org
>> Subject: Re: key signing
>>
>> On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting  
>> wrote:
>>> It's good to recommend people to get their keys signed by someone in
>>> the Apache web of trust and I think we could do more in that area,
>> Maybe if we didn't insist on face-to-face meetings we'd get better adoption
>> rates.
>>
>> Apache dev docs:
>>
>>http://www.apache.org/dev/openpgp.html#wot-link-in
>>
>>How To Link Into A Public Web Of Trust
>>
>>In short, expect that:
>>
>>*   this will involve a face-to-face meeting
>>
>> GnuPG docs:
>>
>>http://www.gnupg.org/gph/en/manual.html#AEN84
>>
>>A key's fingerprint is verified with the key's owner.  This may be done in
>>person or over the phone or through any other means as long as you can
>>guarantee that you are communicating with the key's true owner.
> +1.  I think with technologies like Skype & Google Hangout, we can get the 
> same level of assurance of a person's identity as a physical key signing 
> party.

What guarantee do you have that a particular Skype ID is whoever you
think it is? None at all, unless the person involved looked at your
Skype contact list and said, yeah, that's me. Likewise for Google
Hangout. As long as they're doing that, they might as well verify the
signature fingerprint in your PGP keyring.

In this respect e-mail is just as secure, so why don't we all just sign
keys because someone claiming to be from from Chad sent us a mail asking
us for a signature?

Really.

-- Brane


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: key signing

[Franklin, Matthew B.]

>-Original Message-
>From: Marvin Humphrey [mailto:mar...@rectangular.com]
>Sent: Friday, October 05, 2012 8:54 PM
>To: general@incubator.apache.org
>Subject: Re: key signing
>
>On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting  wrote:
>> It's good to recommend people to get their keys signed by someone in
>> the Apache web of trust and I think we could do more in that area,
>
>Maybe if we didn't insist on face-to-face meetings we'd get better adoption
>rates.
>
>Apache dev docs:
>
>http://www.apache.org/dev/openpgp.html#wot-link-in
>
>How To Link Into A Public Web Of Trust
>
>In short, expect that:
>
>*   this will involve a face-to-face meeting
>
>GnuPG docs:
>
>http://www.gnupg.org/gph/en/manual.html#AEN84
>
>A key's fingerprint is verified with the key's owner.  This may be done in
>person or over the phone or through any other means as long as you can
>guarantee that you are communicating with the key's true owner.

+1.  I think with technologies like Skype & Google Hangout, we can get the same 
level of assurance of a person's identity as a physical key signing party.

What if we held a regular Google Hangout Key Signing party?  We can always ask 
participants to show IDs :)

>
>Marvin Humphrey
>
>-
>To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>For additional commands, e-mail: general-h...@incubator.apache.org


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

[RESULT] [VOTE] Apache Syncope 1.0.2-incubating

[Francesco Chicchiriccò]

Hi all,
after 72 hours, the vote for Syncope 1.0.2-incubating [1] *passes* with
3 IPMC + 0 non-IPMC votes.

+1 (IPMC / binding)
* Colm O hEigeartaigh (vote given via syncope-dev mailing list)
* Emmanuel Lécharny (vote given via syncope-dev mailing list)
* Jean-Baptiste Onofré (vote given via syncope-dev mailing list)

+1 (non binding)
none

0
none

-1
none

Thanks to everyone participating.

I will now copy this release to Syncope's dist directory and promote the
artifacts to the central Maven repository.

Best regards.

[1]
http://mail-archives.apache.org/mod_mbox/incubator-general/201210.mbox/%3C506E9DAE.8020304%40apache.org%3E

-- 
Francesco Chicchiriccò

ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Graduate Isis podling from Apache Incubator

[Dan Haywood]

Since more than 72 hours have elapse and we have had sufficient activity, I
am now closing this vote.  I will post the results in a separate thread.

On 7 October 2012 21:26, Mohammad Nour El-Din wrote:

> [x] +1 Graduate Isis podling from Apache Incubator
>
> On Fri, Oct 5, 2012 at 5:44 PM, Jukka Zitting 
> wrote:
> > Hi,
> >
> > On Thu, Oct 4, 2012 at 2:41 PM, Dan Haywood
> >  wrote:
> >> This is a call for vote to graduate the Isis podling from Apache
> Incubator.
> >
> >   [x] +1 Graduate Isis podling from Apache Incubator
> >
> >> [...]
> >> Committee charged with the creation and maintenance of
> >> open-source software, for distribution at no charge to the public,
> >> to enable the creation of software using domain-driven
> >> design principles, and the realization of this through the
> >> naked objects architectural pattern,
> >> [...]
> >> responsible for the creation and maintenance of software
> >> related to and inspired by the naked objects architectural
> >> pattern; and be it further
> >
> > It would be clearer if these two statements of scope weren't slightly
> > different. How about simply:
> >
> > [...] related to the naked objects architectural pattern [...]
> >
> > ... for both parts?
> >
> > BR,
> >
> > Jukka Zitting
> >
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
>
>
>
> --
> Thanks
> - Mohammad Nour
> 
> "Life is like riding a bicycle. To keep your balance you must keep moving"
> - Albert Einstein
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

[RESULT] [VOTE] Graduate Isis podling from Apache Incubator

[Dan Haywood]

The vote to graduate Isis from the incubator is SUCCESSFUL.

There were 5 +1's:
- Mark Struberg
- Benson Marguiles
- Bertrand Delacretaz
- Jukka Zitting
- Mohammad Nour El-Din

No other votes were passed.

Jukka suggested an alteration to one phrase of the resolution.  However,
no-one else commented on that suggestion.  That being the case (and since
there were no comments in the community vote), I suggest that the wording
stands.  I have included the text of the resolution at the end of this mail.

My thanks to all,
Dan

~
Establish the Apache Isis Top-Level Project

WHEREAS, the Board of Directors deems it to be in the best
interests of the Foundation and consistent with the
Foundation's purpose to establish a Project Management
Committee charged with the creation and maintenance of
open-source software, for distribution at no charge to the public,
to enable the creation of software using domain-driven
design principles, and the realization of this through the
naked objects architectural pattern,

NOW, THEREFORE, BE IT RESOLVED, that a Project Management
Committee (PMC), to be known as the "Apache Isis Project",
be and hereby is established pursuant to Bylaws of the
Foundation; and be it further

RESOLVED, that the Apache Isis Project be and hereby is
responsible for the creation and maintenance of software
related to and inspired by the naked objects architectural
pattern; and be it further

RESOLVED, that the office of "Vice President, Apache Isis" be
and hereby is created, the person holding such office to
serve at the direction of the Board of Directors as the chair
of the Apache Isis Project, and to have primary responsibility
for management of the projects within the scope of
responsibility of the Apache Isis Project; and be it further

RESOLVED, that the persons listed immediately below be and
hereby are appointed to serve as the initial members of the
Apache Isis Project:

Dan Haywood 
Robert Matthews 
Kevin Meyer 
Alexander Krasnukhin 
Dave Slaughter 
Jeroen van der Wal 
Mohammad Nour El-Din 
Mark Struberg 

NOW, THEREFORE, BE IT FURTHER RESOLVED, that Dan Haywood
be appointed to the office of Vice President, Apache Isis, to
serve in accordance with and subject to the direction of the
Board of Directors and the Bylaws of the Foundation until
death, resignation, retirement, removal or disqualification,
or until a successor is appointed; and be it further

RESOLVED, that the initial Apache Isis PMC be and hereby is
tasked with the creation of a set of bylaws intended to
encourage open development and increased participation in the
Apache Isis Project; and be it further

RESOLVED, that the Apache Isis Project be and hereby
is tasked with the migration and rationalization of the Apache
Incubator Isis podling; and be it further

RESOLVED, that all responsibilities pertaining to the Apache
Incubator Isis podling encumbered upon the Apache Incubator
Project are hereafter discharged.