> But checking the signatures of apache software obviously is meaningless, since > apache developers appears to not have their keys in the web-of-trust
Many many do :) > So please, when you've your next Hadoop / HBase / Lucene / Apache meetings, > take your time for a keysigning party[2]. We should have done some key signing during the buzzwords conference. For people in Berlin: I am happy to exchange keys to get them into the web-of-trust. Will certainly suggest something like that for our Apache Dinners. cheers -- Torsten