<http://www.apache.org/dev/release-distribution.html#sigs-and-sums>
"Signing keys SHOULD be linked into a strong web of trust." On Mon, Jun 19, 2017 at 10:29 AM, John D. Ament <johndam...@apache.org> wrote: > Is there a guide you're getting that from? When I look at [1] it seems we > trust the public registries, so nothing else should be needed. > > John > > [1]: https://www.apache.org/info/verification.html > > > On Mon, Jun 19, 2017 at 1:28 PM Eric Friedrich (efriedri) < > efrie...@cisco.com> wrote: > >> Thanks John- >> My key is already listed there and is present in the KEYS file as well. >> >> Doesn’t the key also need to be verified by others at Apache to be >> considered valid? >> >> —Eric >> >> > On Jun 19, 2017, at 1:12 PM, John D. Ament <johndam...@apache.org> >> wrote: >> > >> > I think all you have to do is upload it via https://pgp.mit.edu/ >> ........... >> > >> > John >> > >> > On Mon, Jun 19, 2017 at 1:11 PM Eric Friedrich (efriedri) < >> > efrie...@cisco.com> wrote: >> > >> >> Apologies for this slightly unorthodox use of the mailer. >> >> >> >> I’m in the process of preparing a release for the Traffic Control >> podling. >> >> As the RM, I have to use my GPG key to sign the release. >> >> >> >> However, my GPG key is not yet tied into the web of trust and we cannot >> >> pass the vote because of this. >> >> >> >> Is there anyone in the Boston area (preferably South or metro-west) that >> >> would be willing to meet and verify my key ownership? >> >> >> >> Thanks! >> >> Eric >> >> >> >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
