Lista para documentación
Como todos sabéis desde ODFAuthors seguimos manteniendo (a duras penas) la documentación en español de OpenOffice. Hasta la fecha para comunicarnos utilizábamos una lista de oooes.org. Parece que ya es momento de dejar esa lista y utilizar una propia de Apache OpenOffice. Yo creo que de momento, puesto que el tráfico no es muy intenso, podríamos utilizar esta lista, por lo que si nadie se opone o propone una mejor opción, dentro de 72 horas (lazy consensus) enviaré un mensaje a la antigua lista avisando de que nos cambiamos a esta. De paso aprovecho este mensaje para recordar que seguimos trabajando en la documentación y que, como siempre, cualquier ayuda es bienvenida. Saludos Juan Carlos Sanz -- Para cancelar: ooo-general-es-unsubscr...@incubator.apache.org Para más información: http://www.openoffice.org/es/
Re: Lista para documentación
El 09/10/2012 1:17, Ariel Constenla-Haile escribió: Hola Juan, * On Mon, Oct 08, 2012 at 07:54:15PM +0200, Juan C. Sanz wrote: Como todos sabéis desde ODFAuthors seguimos manteniendo (a duras penas) la documentación en español de OpenOffice. Hasta la fecha para comunicarnos utilizábamos una lista de oooes.org. Parece que ya es momento de dejar esa lista y utilizar una propia de Apache OpenOffice. Yo creo que de momento, puesto que el tráfico no es muy intenso, podríamos utilizar esta lista, por lo que si nadie se opone o propone una mejor opción, dentro de 72 horas (lazy consensus) enviaré un mensaje a la antigua lista avisando de que nos cambiamos a esta. +1 De paso aprovecho este mensaje para recordar que seguimos trabajando en la documentación y que, como siempre, cualquier ayuda es bienvenida. Deberíamos localizar Participar (el quinto elemento de la lista en index.html; y arriba, a la derecha de la barra de navegación del sitio), para que apunte a alguna página dentro del sitio, con información de cómo participar en traducción de documentación, interfaz gráfica, etc. y un link para las formas de participar en el proyecto a nivel global, en vez de mandar directamente a la página en inglés. De acuerdo, me encargo de ver que se puede hacer (aunque no esperéis resultados para mañana mismo) Saludos -- Para cancelar: ooo-general-es-unsubscr...@incubator.apache.org Para más información: http://www.openoffice.org/es/
Re: Lista para documentación
On Tue, Oct 09, 2012 at 01:26:19AM +0200, RGB ES wrote: El 9 de octubre de 2012 01:17, Ariel Constenla-Haile arie...@apache.orgescribió: Deberíamos localizar Participar (el quinto elemento de la lista en index.html; y arriba, a la derecha de la barra de navegación del sitio), para que apunte a alguna página dentro del sitio, con información de cómo participar en traducción de documentación, interfaz gráfica, etc. y un link para las formas de participar en el proyecto a nivel global, en vez de mandar directamente a la página en inglés. Algunas cosas ya están en la «nueva» wiki: http://wiki.openoffice.org/wiki/ES/Participar se puede hacer un poco de copy paste, para el sitio, enlazando a la wiki para más detalles (IMO es mejor que los enlaces del sitio apunten en primera instancia al sitio mismo); creo que el texto de la wiki y el CMS de Apache son compatibles, ahí acabo de cambiar es/participar/index.html por un index.mdtext Saludos -- Ariel Constenla-Haile La Plata, Argentina pgpVATB2mugI2.pgp Description: PGP signature
Re: [VOTE] JSPWiki version 2.9.0-incubating
Christian and Craig, thank you very much for having a look at the RC and pointing out these issues. We'll fix these asap. Regards Florian - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[RESULT] [VOTE] Graduate Isis podling from Apache Incubator
The vote to graduate Isis from the incubator is SUCCESSFUL. There were 5 +1's: - Mark Struberg - Benson Marguiles - Bertrand Delacretaz - Jukka Zitting - Mohammad Nour El-Din No other votes were passed. Jukka suggested an alteration to one phrase of the resolution. However, no-one else commented on that suggestion. That being the case (and since there were no comments in the community vote), I suggest that the wording stands. I have included the text of the resolution at the end of this mail. My thanks to all, Dan ~ Establish the Apache Isis Top-Level Project WHEREAS, the Board of Directors deems it to be in the best interests of the Foundation and consistent with the Foundation's purpose to establish a Project Management Committee charged with the creation and maintenance of open-source software, for distribution at no charge to the public, to enable the creation of software using domain-driven design principles, and the realization of this through the naked objects architectural pattern, NOW, THEREFORE, BE IT RESOLVED, that a Project Management Committee (PMC), to be known as the Apache Isis Project, be and hereby is established pursuant to Bylaws of the Foundation; and be it further RESOLVED, that the Apache Isis Project be and hereby is responsible for the creation and maintenance of software related to and inspired by the naked objects architectural pattern; and be it further RESOLVED, that the office of Vice President, Apache Isis be and hereby is created, the person holding such office to serve at the direction of the Board of Directors as the chair of the Apache Isis Project, and to have primary responsibility for management of the projects within the scope of responsibility of the Apache Isis Project; and be it further RESOLVED, that the persons listed immediately below be and hereby are appointed to serve as the initial members of the Apache Isis Project: Dan Haywood danhayw...@apache.org Robert Matthews rmatth...@apache.org Kevin Meyer ke...@apache.org Alexander Krasnukhin themalk...@apache.org Dave Slaughter dslaugh...@apache.org Jeroen van der Wal jcvander...@apache.org Mohammad Nour El-Din mn...@apache.org Mark Struberg strub...@apache.org NOW, THEREFORE, BE IT FURTHER RESOLVED, that Dan Haywood be appointed to the office of Vice President, Apache Isis, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed; and be it further RESOLVED, that the initial Apache Isis PMC be and hereby is tasked with the creation of a set of bylaws intended to encourage open development and increased participation in the Apache Isis Project; and be it further RESOLVED, that the Apache Isis Project be and hereby is tasked with the migration and rationalization of the Apache Incubator Isis podling; and be it further RESOLVED, that all responsibilities pertaining to the Apache Incubator Isis podling encumbered upon the Apache Incubator Project are hereafter discharged.
Re: [VOTE] Graduate Isis podling from Apache Incubator
Since more than 72 hours have elapse and we have had sufficient activity, I am now closing this vote. I will post the results in a separate thread. On 7 October 2012 21:26, Mohammad Nour El-Din nour.moham...@gmail.comwrote: [x] +1 Graduate Isis podling from Apache Incubator On Fri, Oct 5, 2012 at 5:44 PM, Jukka Zitting jukka.zitt...@gmail.com wrote: Hi, On Thu, Oct 4, 2012 at 2:41 PM, Dan Haywood d...@haywood-associates.co.uk wrote: This is a call for vote to graduate the Isis podling from Apache Incubator. [x] +1 Graduate Isis podling from Apache Incubator [...] Committee charged with the creation and maintenance of open-source software, for distribution at no charge to the public, to enable the creation of software using domain-driven design principles, and the realization of this through the naked objects architectural pattern, [...] responsible for the creation and maintenance of software related to and inspired by the naked objects architectural pattern; and be it further It would be clearer if these two statements of scope weren't slightly different. How about simply: [...] related to the naked objects architectural pattern [...] ... for both parts? BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- Thanks - Mohammad Nour Life is like riding a bicycle. To keep your balance you must keep moving - Albert Einstein - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[RESULT] [VOTE] Apache Syncope 1.0.2-incubating
Hi all, after 72 hours, the vote for Syncope 1.0.2-incubating [1] *passes* with 3 IPMC + 0 non-IPMC votes. +1 (IPMC / binding) * Colm O hEigeartaigh (vote given via syncope-dev mailing list) * Emmanuel Lécharny (vote given via syncope-dev mailing list) * Jean-Baptiste Onofré (vote given via syncope-dev mailing list) +1 (non binding) none 0 none -1 none Thanks to everyone participating. I will now copy this release to Syncope's dist directory and promote the artifacts to the central Maven repository. Best regards. [1] http://mail-archives.apache.org/mod_mbox/incubator-general/201210.mbox/%3C506E9DAE.8020304%40apache.org%3E -- Francesco Chicchiriccò ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/ - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: key signing
-Original Message- From: Marvin Humphrey [mailto:mar...@rectangular.com] Sent: Friday, October 05, 2012 8:54 PM To: general@incubator.apache.org Subject: Re: key signing On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: It's good to recommend people to get their keys signed by someone in the Apache web of trust and I think we could do more in that area, Maybe if we didn't insist on face-to-face meetings we'd get better adoption rates. Apache dev docs: http://www.apache.org/dev/openpgp.html#wot-link-in How To Link Into A Public Web Of Trust In short, expect that: * this will involve a face-to-face meeting GnuPG docs: http://www.gnupg.org/gph/en/manual.html#AEN84 A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. +1. I think with technologies like Skype Google Hangout, we can get the same level of assurance of a person's identity as a physical key signing party. What if we held a regular Google Hangout Key Signing party? We can always ask participants to show IDs :) Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On 08.10.2012 13:44, Franklin, Matthew B. wrote: -Original Message- From: Marvin Humphrey [mailto:mar...@rectangular.com] Sent: Friday, October 05, 2012 8:54 PM To: general@incubator.apache.org Subject: Re: key signing On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting jukka.zitt...@gmail.com wrote: It's good to recommend people to get their keys signed by someone in the Apache web of trust and I think we could do more in that area, Maybe if we didn't insist on face-to-face meetings we'd get better adoption rates. Apache dev docs: http://www.apache.org/dev/openpgp.html#wot-link-in How To Link Into A Public Web Of Trust In short, expect that: * this will involve a face-to-face meeting GnuPG docs: http://www.gnupg.org/gph/en/manual.html#AEN84 A key's fingerprint is verified with the key's owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. +1. I think with technologies like Skype Google Hangout, we can get the same level of assurance of a person's identity as a physical key signing party. What guarantee do you have that a particular Skype ID is whoever you think it is? None at all, unless the person involved looked at your Skype contact list and said, yeah, that's me. Likewise for Google Hangout. As long as they're doing that, they might as well verify the signature fingerprint in your PGP keyring. In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Allura name search - What next
Trademarks folks, I've done a name search for 'Allura' and the results of that search are here: https://issues.apache.org/jira/browse/PODLINGNAMESEARCH-15 Is there anything I still need to do in order to get the blessing of the Trademarks folks on using this name? -- Rich Bowen rbo...@rcbowen.com :: @rbowen rbo...@apache.org
Re: key signing
On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote: What guarantee do you have that a particular Skype ID is whoever you think it is? None at all, unless the person involved looked at your Skype contact list and said, yeah, that's me. Likewise for Google Hangout. As long as they're doing that, they might as well verify the signature fingerprint in your PGP keyring. In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. Is it your position that this excerpt from the GnuPG docs is wrong? This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. Marvin Humphrey - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On 08.10.2012 17:43, Marvin Humphrey wrote: On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote: What guarantee do you have that a particular Skype ID is whoever you think it is? None at all, unless the person involved looked at your Skype contact list and said, yeah, that's me. Likewise for Google Hangout. As long as they're doing that, they might as well verify the signature fingerprint in your PGP keyring. In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. Is it your position that this excerpt from the GnuPG docs is wrong? This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. It says clearly, as long as you can guarantee that you are communicating with the key's true owner. Which was exactly my point. -- Brane - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey mar...@rectangular.com wrote: On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote: What guarantee do you have that a particular Skype ID is whoever you think it is? None at all, unless the person involved looked at your Skype contact list and said, yeah, that's me. Likewise for Google Hangout. As long as they're doing that, they might as well verify the signature fingerprint in your PGP keyring. In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. Is it your position that this excerpt from the GnuPG docs is wrong? This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. Marvin Humphr - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
RE: key signing
I don't understand what keys from LDAP are? Are these the same as keys whose fingerprints a ASF committer registers in their account or something else? - Dennis -Original Message- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Monday, October 08, 2012 08:54 To: general@incubator.apache.org Subject: Re: key signing [ ... ] In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. [ ... ] - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On Mon, Oct 8, 2012 at 12:47 PM, Dennis E. Hamilton orc...@apache.org wrote: I don't understand what keys from LDAP are? Are these the same as keys whose fingerprints a ASF committer registers in their account or something else? Yes. Sorry for the foggy phraseology. - Dennis -Original Message- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Monday, October 08, 2012 08:54 To: general@incubator.apache.org Subject: Re: key signing [ ... ] In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. [ ... ] - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote: On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey mar...@rectangular.com wrote: ... In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. Is it your position that this excerpt from the GnuPG docs is wrong? This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key's true owner. There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. Folks who care about the Gnu web of trust will probably be hooked back into the Linux committers network. There are definitely connections from their to the Apache community. Thus, if the Apache community becomes completely connected from a trust perspective, it is likely that there will be a short path back to anybody connected into the Linux community. I could be just such a link. I had my (non-Apache) key signed at Buzzwords last year and if I were to use that key for Apache work, we would have the requisite link.
Re: key signing
On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej br...@apache.org wrote: It says clearly, as long as you can guarantee that you are communicating with the key's true owner. Which was exactly my point. I assert a virtual key-signing party protocol incorportating Google Plus Hangouts could offer comparable assurances to a face-to-face key signing party. I speculate that such a protocol would utilize the Hangouts On Air[1] feature which archives the hangout video directly to YouTube, along with possibly mailing list interaction and commits to ASF version control to achieve a layered approach a la multi-factor authentication. Arguably, having archived video would make the virtual protocol _stronger_ than face-to-face. Whether such an initiative would be worth the effort is a different question, but video conferencing should not be dismissed out-of-hand as a tool for helping to associate a key with the key's true owner. [1] http://www.google.com/+/learnmore/hangouts/onair.html - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey mar...@rectangular.comwrote: On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej br...@apache.org wrote: It says clearly, as long as you can guarantee that you are communicating with the key's true owner. Which was exactly my point. I assert a virtual key-signing party protocol incorportating Google Plus Hangouts could offer comparable assurances to a face-to-face key signing party. I speculate that such a protocol would utilize the Hangouts On Air[1] feature which archives the hangout video directly to YouTube, along with possibly mailing list interaction and commits to ASF version control to achieve a layered approach a la multi-factor authentication. Arguably, having archived video would make the virtual protocol _stronger_ than face-to-face. Whether such an initiative would be worth the effort is a different question, but video conferencing should not be dismissed out-of-hand as a tool for helping to associate a key with the key's true owner. [1] http://www.google.com/+/learnmore/hangouts/onair.html I think that Branko may have been thinking text messages when the word skype came up. Video conferencing is at least as good as voice and, as you say, with archiving can be pretty powerful. To my mind, though, there is definitely something nice about having somebody's passport in your hand and pretending you know what to look for to spot a fake.
Re: key signing
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote: There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. To me, this seems like an outright dismissal of the web of trust because it is unlikely. Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am in the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. -- NS
Re: key signing
This is an important point. Debian has a complete toolset and guidelines for managing this. http://www.debian.org/events/keysigning To quote: People should only sign a key under at least two conditions: 1. The key owner convinces the signer that the identity in the UID is indeed their own identity by whatever evidence the signer is willing to accept as convincing. Usually this means the key owner must present a government issued ID with a picture and information that match up with the key owner. (Some signers know that government issued ID's are easily forged and that the trustability of the issuing authorities is often suspect and so they may require additional and/or alternative evidence of identity). 2. The key owner verifies that the fingerprint and the length of the key about to be signed is indeed their own. How would you do this via Skype? If we don't take this seriously, how can we expect other people to take our keys seriously? (Debian also has a few tools to help automate this stuff. See above link.) If we're going to adopt a key signing model, we should strongly consider basing it on Debian's. On Mon, Oct 8, 2012 at 9:45 PM, Ted Dunning ted.dunn...@gmail.com wrote: On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey mar...@rectangular.com wrote: On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej br...@apache.org wrote: It says clearly, as long as you can guarantee that you are communicating with the key's true owner. Which was exactly my point. I assert a virtual key-signing party protocol incorportating Google Plus Hangouts could offer comparable assurances to a face-to-face key signing party. I speculate that such a protocol would utilize the Hangouts On Air[1] feature which archives the hangout video directly to YouTube, along with possibly mailing list interaction and commits to ASF version control to achieve a layered approach a la multi-factor authentication. Arguably, having archived video would make the virtual protocol _stronger_ than face-to-face. Whether such an initiative would be worth the effort is a different question, but video conferencing should not be dismissed out-of-hand as a tool for helping to associate a key with the key's true owner. [1] http://www.google.com/+/learnmore/hangouts/onair.html I think that Branko may have been thinking text messages when the word skype came up. Video conferencing is at least as good as voice and, as you say, with archiving can be pretty powerful. To my mind, though, there is definitely something nice about having somebody's passport in your hand and pretending you know what to look for to spot a fake. -- NS
Re: key signing
On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater nsla...@tumbolia.org wrote: On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote: There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. To me, this seems like an outright dismissal of the web of trust because it is unlikely. Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am in the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. I've been watching PGP from its birth, and I've seen very little evidence of the web of trust growing from geeks like us to the sort of people who download and install Tomcat. If you can offer some counterevidence, I'm all eyes. My personal enthusiasm is for all Apache projects to share a clear recipe for their users to verify downloads. That recipe should work for *every user* and *every release manager*. -- NS - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
Perhaps not Tomcat, but the entire Foundation and all of it's current and future projects should be under consideration here. The long and short of it is that key signing can't hurt. And a key signing guide certainly can't hurt. RMs should feel free to do this, if they are interested in it, and users who care about it can take advantage of it, if it interests them. I certainly wouldn't want to think that we mandate anything. (You know you can't be a Debian developer until you have your key signed by another Debian developer? That set me back months. I'm something of a recluse!) On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies bimargul...@gmail.comwrote: On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater nsla...@tumbolia.org wrote: On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.com wrote: There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. To me, this seems like an outright dismissal of the web of trust because it is unlikely. Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am in the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. I've been watching PGP from its birth, and I've seen very little evidence of the web of trust growing from geeks like us to the sort of people who download and install Tomcat. If you can offer some counterevidence, I'm all eyes. My personal enthusiasm is for all Apache projects to share a clear recipe for their users to verify downloads. That recipe should work for *every user* and *every release manager*. -- NS - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- NS
Re: key signing
Caveat: But I do think that if we do have a key signing guide (and I think we should) then it should be strict about our standards. (i.e. when and when not to sign somebody's key. Basic QA on what sort of trust we're trying to build here.) On Mon, Oct 8, 2012 at 11:15 PM, Noah Slater nsla...@tumbolia.org wrote: Perhaps not Tomcat, but the entire Foundation and all of it's current and future projects should be under consideration here. The long and short of it is that key signing can't hurt. And a key signing guide certainly can't hurt. RMs should feel free to do this, if they are interested in it, and users who care about it can take advantage of it, if it interests them. I certainly wouldn't want to think that we mandate anything. (You know you can't be a Debian developer until you have your key signed by another Debian developer? That set me back months. I'm something of a recluse!) On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies bimargul...@gmail.comwrote: On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater nsla...@tumbolia.org wrote: On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.com wrote: There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. To me, this seems like an outright dismissal of the web of trust because it is unlikely. Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am in the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. I've been watching PGP from its birth, and I've seen very little evidence of the web of trust growing from geeks like us to the sort of people who download and install Tomcat. If you can offer some counterevidence, I'm all eyes. My personal enthusiasm is for all Apache projects to share a clear recipe for their users to verify downloads. That recipe should work for *every user* and *every release manager*. -- NS - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- NS -- NS
Re: key signing
On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater nsla...@tumbolia.org wrote: Perhaps not Tomcat, but the entire Foundation and all of it's current and future projects should be under consideration here. The long and short of it is that key signing can't hurt. And a key signing guide certainly can't hurt. RMs should feel free to do this, if they are interested in it, and users who care about it can take advantage of it, if it interests them. I certainly wouldn't want to think that we mandate anything. (You know you can't be a Debian developer until you have your key signed by another Debian developer? That set me back months. I'm something of a recluse!) I'm absolutely not opposed to key signing. I am somewhat opposed to presenting 'look at the signature(s)' as a very prominent verification options on a page aimed at users. I am very much in favor of streamlining and describing alternatives that avoid the need for the user to be a WoT participant, such as taking advantage of KEYS files and the like. On Mon, Oct 8, 2012 at 10:37 PM, Benson Margulies bimargul...@gmail.comwrote: On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater nsla...@tumbolia.org wrote: On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.com wrote: There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. To me, this seems like an outright dismissal of the web of trust because it is unlikely. Which it is sure to be if everyone dismisses it. You're right in so much as not a lot of people care. But for the people that do care, it is very important, and works just great. (Note, I am not one of those people, though I am in the web of trust having been involved in Debian, which takes it very seriously.) If you are the sort of person who has a GPG key and get's it signed, then the chances are that you can establish trust with an RM that does the same. I've been watching PGP from its birth, and I've seen very little evidence of the web of trust growing from geeks like us to the sort of people who download and install Tomcat. If you can offer some counterevidence, I'm all eyes. My personal enthusiasm is for all Apache projects to share a clear recipe for their users to verify downloads. That recipe should work for *every user* and *every release manager*. -- NS - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- NS - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
Let's try a little statistically-invalid experiment of sample size one. The last time I had a key signed at Apache, it was by Dan Kulp. Now, pretend that you are a suspicious user of one of the many Maven plugins releases that I RM. Can you reach Dan from yourself in the web? Is there anyone you, personally, trust who starts a chain that leads to him? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: svn commit: r1395765 - in /incubator/public/trunk/content: clutch.txt podlings.xml projects/bigtop.xml report_due_3.txt
Please do not hand-edit the Clutch output files. http://incubator.apache.org/clutch.html#h-Graduate http://incubator.apache.org/guides/graduation.html#unincubate If people do want to run the Clutch program, then update content/podlings.xml file, then follow: http://incubator.apache.org/clutch.html#notes -David r...@apache.org wrote: Author: rvs Date: Mon Oct 8 20:44:54 2012 New Revision: 1395765 URL: http://svn.apache.org/viewvc?rev=1395765view=rev Log: Bigtop graduated Modified: incubator/public/trunk/content/clutch.txt incubator/public/trunk/content/podlings.xml incubator/public/trunk/content/projects/bigtop.xml incubator/public/trunk/content/report_due_3.txt Modified: incubator/public/trunk/content/clutch.txt URL: http://svn.apache.org/viewvc/incubator/public/trunk/content/clutch.txt?rev=1395765r1=1395764r2=1395765view=diff == --- incubator/public/trunk/content/clutch.txt (original) +++ incubator/public/trunk/content/clutch.txt Mon Oct 8 20:44:54 2012 @@ -2,7 +2,6 @@ allura,Allura,Incubator ambari,Ambari,Incubator amber,Amber,Shindig -bigtop,Bigtop,Incubator bloodhound,Bloodhound,Incubator blur,Blur,Incubator celix,Celix,Incubator Modified: incubator/public/trunk/content/podlings.xml URL: http://svn.apache.org/viewvc/incubator/public/trunk/content/podlings.xml?rev=1395765r1=1395764r2=1395765view=diff == --- incubator/public/trunk/content/podlings.xml [utf-8] (original) +++ incubator/public/trunk/content/podlings.xml [utf-8] Mon Oct 8 20:44:54 2012 @@ -180,7 +180,7 @@ mentorCraig McClanahan/mentor /mentors /podling -podling name=Bigtop status=current resource=bigtop sponsor=Incubator startdate=2011-06-20 +podling name=Bigtop status=graduated resource=bigtop sponsor=Incubator startdate=2011-06-20 enddate=2012-09-19 descriptionBigtop is a project for the development of packaging and tests of the Hadoop ecosystem./description reporting group=3/ graduating/ Modified: incubator/public/trunk/content/projects/bigtop.xml URL: http://svn.apache.org/viewvc/incubator/public/trunk/content/projects/bigtop.xml?rev=1395765r1=1395764r2=1395765view=diff == --- incubator/public/trunk/content/projects/bigtop.xml [utf-8] (original) +++ incubator/public/trunk/content/projects/bigtop.xml [utf-8] Mon Oct 8 20:44:54 2012 @@ -18,6 +18,7 @@ section id=News titleNews/title ul +li2012-09-19 Apache Bigtop graduates from the Incbuator./li li2012-08-20 0.4.0-incubating released!/li li2012-03-30 New Committer: Stephen Chu/li li2012-04-12 0.3.0-incubating released!/li Modified: incubator/public/trunk/content/report_due_3.txt URL: http://svn.apache.org/viewvc/incubator/public/trunk/content/report_due_3.txt?rev=1395765r1=1395764r2=1395765view=diff == --- incubator/public/trunk/content/report_due_3.txt (original) +++ incubator/public/trunk/content/report_due_3.txt Mon Oct 8 20:44:54 2012 @@ -1,5 +1,4 @@ Allura Developers allura-...@incubator.apache.org -Bigtop Developers bigtop-...@incubator.apache.org Bloodhound Developers bloodhound-...@incubator.apache.org Blur Developers blur-...@incubator.apache.org Cordova Developers callback-...@incubator.apache.org - To unsubscribe, e-mail: cvs-unsubscr...@incubator.apache.org For additional commands, e-mail: cvs-h...@incubator.apache.org - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: key signing
I don't know how to check that. Heh. Would be interested in giving it a shot. Are there tools to look up graphs? On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies bimargul...@gmail.comwrote: Let's try a little statistically-invalid experiment of sample size one. The last time I had a key signed at Apache, it was by Dan Kulp. Now, pretend that you are a suspicious user of one of the many Maven plugins releases that I RM. Can you reach Dan from yourself in the web? Is there anyone you, personally, trust who starts a chain that leads to him? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- NS
Re: key signing
Found one... Just poking around manually... J. Daniel Kulp dk...@apache.org http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x858FC4C4F43856A3 Signed by Carsten Ziegeler cziege...@apache.org http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x132E49D4E41EDC7E Signed by Marcus Crafter craft...@debian.org http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x394D2FE3C4C57B42 And all Debian folk are connected, as per my pervious email. :) There should be a tool for this! On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies bimargul...@gmail.comwrote: Let's try a little statistically-invalid experiment of sample size one. The last time I had a key signed at Apache, it was by Dan Kulp. Now, pretend that you are a suspicious user of one of the many Maven plugins releases that I RM. Can you reach Dan from yourself in the web? Is there anyone you, personally, trust who starts a chain that leads to him? - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org -- NS
RAT issues [was: Re: [VOTE] JSPWiki version 2.9.0-incubating]
Hello, We've added support to generate RAT files (RAT report for RC3 available at [#1]) and began to play with it, via rat-ant-tasks [#2]. As noted in previous e-mails, all the JSP files lack of a proper header. So, a couple of questions: - we pass the addLicenseHeaders argument to the report task. A lot of .new files get generated with the appropiate header, but none of them correspond to JSPs files. On the other hand the RAT report detects the missing header in the JSP files. Is there any way to enforce the process for JSP files? - we also have some .js files which come with their license header (i.e.: mootools.js). RAT detects them as their header doesn't conform with AL Header. In this case I assume we should ignore this files, is that ok? We've also made java files conform strictly with AL header, so the headers issue should be solved once we get rid of the two points noted above. thx in advance, juan pablo [#1]: http://people.apache.org/~juanpablo/rat_2.9.0_rc3.txt [#2]: http://creadur.apache.org/rat/apache-rat-tasks/report.html On Sun, Oct 7, 2012 at 11:53 PM, Craig L Russell craig.russ...@oracle.comwrote: Hi Christian, Thanks for the review of the release. On Oct 7, 2012, at 12:30 PM, Christian Grobmeier wrote: Hello, i'm sorry to -1 your release :-( Please see: http://www.apache.org/legal/**src-headers.html#headershttp://www.apache.org/legal/src-headers.html#headers This is a very important document to read and understand. The jspwiki headers are non-standard and should be rewritten to conform. In particular, there should be no extraneous verbiage before the Licensed to... text. No copyright, no other information. I have found a lot of code like in the the src package /src/webdocs/Captcha.jsp which are missing header licenses. I saw it is in the .java files, but they should be basically in every file we release (including jsp) I agree, .jsp files need the Apache license header just as .java files do. Also export.sh misses headers. In the headers of the .java files is: JSPWiki - a JSP-based WikiWiki clone. Not sure if this is a blocker, but you should use the full name Apache JSPWiki instead of only JSPWiki. Personally I would get rid of this line actually, but i think it is up to you. Getting rid of the line is probably the easiest way to conform. Example: https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/** jspwiki_2_9_0_incubating_rc3/**src/org/apache/catalina/util/** HexUtils.javahttps://svn.apache.org/repos/asf/incubator/jspwiki/tags/jspwiki_2_9_0_incubating_rc3/src/org/apache/catalina/util/HexUtils.java I have not tested signatures yet. In other projects sometimes the website is being voted on together with the releases. Is it not the case with JSPWiki? I don't know that I've ever voted on a web site release. Other projects just update the web site as needed, with no vote. On another note, I agree with Ross. Your mentors should have told you that and they should have voted already. This first release has been a long time coming, and I was distracted the last couple of weeks. I agree that the mentors should review the release and advise of remedial action. I'd like to see a rat report on the release. I believe that analysis of the rat report will reinforce the comments that Christian and I made. Regards, Craig Not sure if how the overall situation on your daily project life is. If you feel that you would need more mentor support, please write a separate e-mail to this list. I have only looked at this e-mail as it was open for a couple of days without much responses. Best regards, Christian On Thu, Sep 27, 2012 at 8:11 PM, Juan Pablo Santos Rodríguez juanpa...@apache.org wrote: Hi, This is a call for a vote on releasing the following candidate as Apache JSPWiki version 2.9.0-incubating. This will be our first release. A vote was held on the developer mailing list (http://s.apache.org/dzM) and passed with 10 +1s (* denoting PPMC): Janne Jalkannen* Florian Holeczek* Harry Metske* Andrew Jaquith* Dirk Frederickx* Juan Pablo Santos Rodríguez* Fabian Haupt Michael Gerzabek Christophe Dupriez Roberto Venturi We need at least 3 IPMC votes. This release fixes the following issues: https://issues.apache.org/**jira/secure/ReleaseNote.jspa?** projectId=12310732version=**12319521https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732version=12319521 Source and binary files: http://people.apache.org/~**jalkanen/JSPWiki/2.9.0/http://people.apache.org/~jalkanen/JSPWiki/2.9.0/ The tag to be voted upon: https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/** jspwiki_2_9_0_incubating_rc3https://svn.apache.org/repos/asf/incubator/jspwiki/tags/jspwiki_2_9_0_incubating_rc3 JSPWiki's KEYS file containing PGP keys we use to sign the release: http://www.apache.org/dist/**incubator/jspwiki/KEYShttp://www.apache.org/dist/incubator/jspwiki/KEYS Please
Re: jspwiki
Hi, On Sun, Oct 7, 2012 at 11:07 PM, Benson Margulies bimargul...@gmail.com wrote: We seem to have a problem here. I've pinged two of the mentors here chosen by people in my gmail 'to' cache; could we get some input? JSPWiki has been troubled for quite some time. Earlier this year (prompted by concerns raised by Sam) they discussed leaving the ASF as one option due to lack of progress [1]. That proposal didn't reach consensus, so a bit later a premature graduation attempt was made [2]. Meanwhile the project activity has remained pretty low compared to what it was when the project entered incubation five(!) years ago. There is still some energy in JSPWiki and I salute the efforts of Juan Pablo and others who are keeping the project alive, but unfortunately we aren't providing enough mentoring and other help to push the community through incubation. Looking at jspwiki-dev@ I see only six mentor posts since the beginning of this year. I think JSPWiki still has the makings of a good Apache project, but they clearly need more help. Any volunteers? [1] http://markmail.org/message/etgsawr7mtjggppt [2] http://markmail.org/message/bnkpzwdltlihce3k BR, Jukka Zitting - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: RAT issues [was: Re: [VOTE] JSPWiki version 2.9.0-incubating]
On Oct 8, 2012, at 3:59 PM, Juan Pablo Santos Rodríguez wrote: Hello, We've added support to generate RAT files (RAT report for RC3 available at [#1]) and began to play with it, via rat-ant-tasks [#2]. As noted in previous e-mails, all the JSP files lack of a proper header. So, a couple of questions: - we pass the addLicenseHeaders argument to the report task. A lot of .new files get generated with the appropiate header, but none of them correspond to JSPs files. On the other hand the RAT report detects the missing header in the JSP files. Is there any way to enforce the process for JSP files? I'm not clear what you are saying here. If the rat addLicenseHeaders does not create .jsp files with the appropriate header, you may need to manually edit the .jsp files. - we also have some .js files which come with their license header (i.e.: mootools.js). RAT detects them as their header doesn't conform with AL Header. In this case I assume we should ignore this files, is that ok? If you review all of the files that have their own license header, you can then notate them. What rat does is report non-conforming files of all types. Any files that are licensed under a non-Apache license need to be called out in the NOTICE and/or LICENSE files. There are many examples of such files in other projects. If you give specific file names, I can help you with what needs to be done to include them. Craig We've also made java files conform strictly with AL header, so the headers issue should be solved once we get rid of the two points noted above. thx in advance, juan pablo [#1]: http://people.apache.org/~juanpablo/rat_2.9.0_rc3.txt [#2]: http://creadur.apache.org/rat/apache-rat-tasks/report.html On Sun, Oct 7, 2012 at 11:53 PM, Craig L Russell craig.russ...@oracle.comwrote: Hi Christian, Thanks for the review of the release. On Oct 7, 2012, at 12:30 PM, Christian Grobmeier wrote: Hello, i'm sorry to -1 your release :-( Please see: http://www.apache.org/legal/**src-headers.html#headershttp://www.apache.org/legal/src-headers.html#headers This is a very important document to read and understand. The jspwiki headers are non-standard and should be rewritten to conform. In particular, there should be no extraneous verbiage before the Licensed to... text. No copyright, no other information. I have found a lot of code like in the the src package /src/webdocs/Captcha.jsp which are missing header licenses. I saw it is in the .java files, but they should be basically in every file we release (including jsp) I agree, .jsp files need the Apache license header just as .java files do. Also export.sh misses headers. In the headers of the .java files is: JSPWiki - a JSP-based WikiWiki clone. Not sure if this is a blocker, but you should use the full name Apache JSPWiki instead of only JSPWiki. Personally I would get rid of this line actually, but i think it is up to you. Getting rid of the line is probably the easiest way to conform. Example: https://svn.apache.org/repos/**asf/incubator/jspwiki/tags/** jspwiki_2_9_0_incubating_rc3/**src/org/apache/catalina/util/** HexUtils.javahttps://svn.apache.org/repos/asf/incubator/jspwiki/tags/jspwiki_2_9_0_incubating_rc3/src/org/apache/catalina/util/HexUtils.java I have not tested signatures yet. In other projects sometimes the website is being voted on together with the releases. Is it not the case with JSPWiki? I don't know that I've ever voted on a web site release. Other projects just update the web site as needed, with no vote. On another note, I agree with Ross. Your mentors should have told you that and they should have voted already. This first release has been a long time coming, and I was distracted the last couple of weeks. I agree that the mentors should review the release and advise of remedial action. I'd like to see a rat report on the release. I believe that analysis of the rat report will reinforce the comments that Christian and I made. Regards, Craig Not sure if how the overall situation on your daily project life is. If you feel that you would need more mentor support, please write a separate e-mail to this list. I have only looked at this e-mail as it was open for a couple of days without much responses. Best regards, Christian On Thu, Sep 27, 2012 at 8:11 PM, Juan Pablo Santos Rodríguez juanpa...@apache.org wrote: Hi, This is a call for a vote on releasing the following candidate as Apache JSPWiki version 2.9.0-incubating. This will be our first release. A vote was held on the developer mailing list (http://s.apache.org/dzM) and passed with 10 +1s (* denoting PPMC): Janne Jalkannen* Florian Holeczek* Harry Metske* Andrew Jaquith* Dirk Frederickx* Juan Pablo Santos Rodríguez* Fabian Haupt Michael Gerzabek Christophe Dupriez Roberto Venturi We need at least 3 IPMC votes. This release fixes the following issues:
