Hi, I just wanted to package the new HBase version and since I've just recently read about a malicious software tarball for some Linux IRC server[1], I got back to the habbit of checking signatures. (Yes, I was lazy recently. I'm ashamed.)
But checking the signatures of apache software obviously is meaningless, since apache developers appears to not have their keys in the web-of-trust. From three signature files I had laying around on my hard disc, all three keys had zero signatures on the MIT keyserver: 30CD0996 2010-05-03 Michael Stack <st...@duboce.net> 68E327C1 2008-10-22 Patrick Hunt <ph...@apache.org> FE045966 2009-10-13 Grant Ingersoll <gsing...@apache.org> So please, when you've your next Hadoop / HBase / Lucene / Apache meetings, take your time for a keysigning party[2]. Or just have some snippet with your keys fingerprint in your wallet and hand it to every other geek you meet. (And make sure he asks you for your ID card to check your identity!) It's also nice to have your gpg fingerprint on your business cards! [1] http://www.sophos.com/blogs/chetw/g/2010/06/12/linux-malware-rears-ugly- head/ [2] http://en.wikipedia.org/wiki/Key_signing_party Thank you! Thomas Koch, http://www.koch.ro