<snip>
* The developers PGP keys aren't part of any web of trust. Mainly an issue of physical separation between the developers.
interesting requirement, this one.
IIRC at the last count i was the biggest offender at apache for this (in terms of isolated releases: releases that i've signed with a signature that is isolated).
IIRC the consensus is that only face-to-face meetings are really the only method good enough to establish trust but i don't think i've ever knowingly met another apache committer face-to-face. i'm not really sure how (at the moment) the incubator expects the incubatees to meet this requirement (at least before apache gets that key manager up and running).
maybe what would be enough is that all developers have openPGP compatible keys with public keys uploaded to public servers with fingerprints public available from the ASF infrastructure (maybe on a public ASF web page). of course, this last bit might be a bad plan since some might say the ASF would be vouching for the authenticity of the fingerprints...
- robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
