<snip>
3.) My PGP key is only trused by myself,
my public key's also isolated. at the last count i saw, i was the bigger offender (in terms of releases signed by an isolated key). not being trusted by other apache folk didn't stop me signing all those releases.
though i'd like to get my key signed, that means meeting up face-to-face with other apache people which is (geographically) difficult for me. if you're in continental europe, there are a number of events coming up where there will be an apache presence. subscribe to community or party if you're interested.
IIRC someone - stephano i think - made a really cool application showing distances between signers. there are a number of isolated key signers (especially amongst the europeans where there hasn't been an apachecon in a while.)
does anyone else want to sign the distributions?
(i can't answer that ;)
Is is necessary to sign the distribution in the first place?
definitely.
the web of trust (though important) is of secondary importance to ASF releases. the signature is a way that other committers can ensure that any changes which occur to the release were made by the release manager who originally signed the release.
this does not mean that i have to trust your key is owned by the real Oliver Zeigermann just the ASF release manager who choses to call himself the same.
for some users, not being in a strong web of trust is a bigger issue. md5 sums from the apache sight are almost certainly good enough for users so this shouldn't be such an issue but you may have to field questions from users (i certainly have in the past).
- robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
