Thomas, are you attending the summit? There are a number of contributor
workshops the day after, all at (or around) the same location. If you
feel strongly about this consider attending them, seems like great
opportunity for a "key signing party".
http://www.meetup.com/Hadoop-Contributors/calendar/13771414/
http://www.meetup.com/Hadoop-Contributors/calendar/13750403/
http://www.meetup.com/hbaseusergroup/calendar/13562846/
etc...
Here's some detail on WOT at apache:
http://www.apache.org/dev/release-signing.html#web-of-trust
Patrick
On 06/25/2010 02:29 AM, Thomas Koch wrote:
Hi,
I just wanted to package the new HBase version and since I've just recently
read about a malicious software tarball for some Linux IRC server[1], I got
back to the habbit of checking signatures. (Yes, I was lazy recently. I'm
ashamed.)
But checking the signatures of apache software obviously is meaningless, since
apache developers appears to not have their keys in the web-of-trust. From
three signature files I had laying around on my hard disc, all three keys had
zero signatures on the MIT keyserver:
30CD0996 2010-05-03 Michael Stack<st...@duboce.net>
68E327C1 2008-10-22 Patrick Hunt<ph...@apache.org>
FE045966 2009-10-13 Grant Ingersoll<gsing...@apache.org>
So please, when you've your next Hadoop / HBase / Lucene / Apache meetings,
take your time for a keysigning party[2]. Or just have some snippet with your
keys fingerprint in your wallet and hand it to every other geek you meet. (And
make sure he asks you for your ID card to check your identity!) It's also nice
to have your gpg fingerprint on your business cards!
[1] http://www.sophos.com/blogs/chetw/g/2010/06/12/linux-malware-rears-ugly-
head/
[2] http://en.wikipedia.org/wiki/Key_signing_party
Thank you!
Thomas Koch, http://www.koch.ro
