Greg Stein wrote on 10/10/12 6:44 PM:
> I've read this entire thread (whew!), and would actually like to throw out
> a contrary position:
>
> No signed keys.
+1
--
Peter Karman . http://peknet.com/ . pe...@peknet.com
-
To
On Wed, Oct 10, 2012 at 6:06 PM, Roman Shaposhnik wrote:
> Hi!
>
> ever since Bigtop has incubated I've been thinking
> about the experience that I've had and that it would
> be very nice if I could help the new projects at least
> 1/10th the amount of help I received from some of the
> mentors.
>
+1 (binding). Good luck Open Office'ers! :)
Cheers,
Chris
On Oct 10, 2012, at 12:00 PM, Andrea Pescetti wrote:
> Seeing no objections to my last message, and keeping into account that this
> list had been regularly informed about the steps Apache OpenOffice was taking
> towards graduation, I'm
Craig L Russell wrote:
Hi Jukka,
The incubator report in wiki is immutable.
Could you please amend the tashi report:
Change "diogo" to "diego"
Please don't, the gentleman's name is "Diogo", though I've misspelled it
too on occasion. ;)
Add me as mentor signed-off-by.
Thanks,
Michael.
--
Hi Jukka,
The incubator report in wiki is immutable.
Could you please amend the tashi report:
Change "diogo" to "diego"
Add me as mentor signed-off-by.
Thanks,
Craig
On Oct 10, 2012, at 7:19 PM, Michael Stroucken wrote:
Jukka Zitting wrote:
Hi Tashi,
Your board report for this month is
On Oct 9, 2012, at 3:24 PM, Steven Gill wrote:
> This is a call for vote to graduate the Cordova podling from Apache
> Incubator.
+1 (mentor)
--
Gianugo Rabellino
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apac
Jukka Zitting wrote:
Hi Tashi,
Your board report for this month is overdue. Please submit a report by
tomorrow if possible, otherwise we can postpone your report to next
month.
Hi Jukka,
Sorry for the delay, the report was submitted.
I notice a total stop in list and commit activity since
Greg Stein wrote on Wed, Oct 10, 2012 at 21:40:18 -0400:
> On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf
> wrote:
> > Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
> >...
> >> My point is that our instructions to users don't really incorporoate
> >> the notions of "keys", and (thus) p
On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf wrote:
> Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
>...
>> My point is that our instructions to users don't really incorporoate
>> the notions of "keys", and (thus) provide near-zero utility. For such
>
> So, provide better instructions
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
> Not too much. We still instruct users "take the signatures and verify
> them against blah.apache.org/KEYS". John Blackhat could replace the
> signatures and install his entry into KEYS.
If you use https://people.apache.org/keys/ instead of
Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
> On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf
> wrote:
> > Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
> >> I've read this entire thread (whew!), and would actually like to throw out
> >> a contrary position:
> >>
> >> No si
On Wed, Oct 10, 2012 at 7:53 PM, Ian Holsman wrote:
> On Oct 11, 2012, at 10:44 AM, Greg Stein wrote:
>> (assume secure Infrastructure)
>
> That's a pretty big assumption isn't it?
Empirically, we've had break-ins, so we can assume it will happen
again. But now you're talking that somebody has t
There is value of the external signature for attesting something about the
creation of the artifact. The digest simply demonstrates that the artifact is
intact.
I've already agreed that the signing of other people's certificate is not that
valuable in the case of Apache releases.
Because of t
>-Original Message-
>From: Jukka Zitting [mailto:jukka.zitt...@gmail.com]
>Sent: Wednesday, October 10, 2012 7:28 PM
>To: general
>Subject: Re: Preparing for the October reports
>
>Hi,
>
>On Mon, Sep 24, 2012 at 10:34 PM, Jukka Zitting
>wrote:
>> It would be nice if we had all reviews read
On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf wrote:
> Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
>> I've read this entire thread (whew!), and would actually like to throw out
>> a contrary position:
>>
>> No signed keys.
>>
>> Consider: releases come from the ASF, not a person.
>
>
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
> I've read this entire thread (whew!), and would actually like to throw out
> a contrary position:
>
> No signed keys.
>
> Consider: releases come from the ASF, not a person.
Therefore, releases should be signed by the ASF as an organisat
[3] +1 (binding) Alan, Jakob, Chris
[1] +1 (non-binding) Jun
[1] 0 (binding) Owen)
[0] -1
the vote passes IPMC
and with the PPMC vote already passsed
[3] +1 (binding) Jun, Neha, Chris
[1] +1 (non-binding) Joel
[0] 0
[0] -1
0.7.2 is ready to ship
i will push the release to the origin server a
Ian Holsman wrote on Thu, Oct 11, 2012 at 10:53:11 +1100:
>
> On Oct 11, 2012, at 10:44 AM, Greg Stein wrote:
>
> >
> > (assume secure Infrastructure)
>
> That's a pretty big assumption isn't it?
> There have been public instances where open source infrastructures have been
> hacked, and rele
Hi!
ever since Bigtop has incubated I've been thinking
about the experience that I've had and that it would
be very nice if I could help the new projects at least
1/10th the amount of help I received from some of the
mentors.
Also, seeing a steady stream of graduating projects
I would imagine tha
[ ] +1, bring Helix into Incubator
(non-binding)
On Wed, Oct 10, 2012 at 9:37 AM, kishore g wrote:
> Hi,
>
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
>
> Please cast your vote:
>
> [ ] +1, bring Helix into Inc
+1, bring Helix into Incubator (binding)
Patrick
On Wed, Oct 10, 2012 at 9:37 AM, kishore g wrote:
> Hi,
>
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
>
> Please cast your vote:
>
> [ ] +1, bring Helix into In
On Oct 11, 2012, at 10:44 AM, Greg Stein wrote:
>
> (assume secure Infrastructure)
That's a pretty big assumption isn't it?
There have been public instances where open source infrastructures have been
hacked, and releases have been messed with.
I think keys removes the need for the assumpti
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
No signed keys.
Consider: releases come from the ASF, not a person. The RM builds the
release artifacts and checks them into version control along with hash
"checksums". Other PMC members validate the
Hi,
On Mon, Sep 24, 2012 at 10:34 PM, Jukka Zitting wrote:
> It would be nice if we had all reviews ready by Tuesday, October 9th,
> to give one extra day for unexpected delays.
I'm again running a bit late on completing the Incubator report. I
hope to have it finished and submitted already tomo
Hi,
Thanks for the reviews, Benson! I added you as a signer-off on these reports.
As reported and discussed, Kafka remains ready to graduate and will
hopefully complete that transition shortly.
On Fri, Oct 5, 2012 at 3:19 PM, Benson Margulies wrote:
> ODFToolkit, on the other hand, seems to hav
Hi,
On Tue, Oct 9, 2012 at 9:27 PM, Jakob Homan wrote:
> Following up, the Kafka-not-showing-any-new-people issue was a
> documentation problem, not an actual one. We've fixed that and are
> moving forward towards the graduation vote.
Sounds great, thanks for the update!
BR,
Jukka Zitting
--
[ x ] +1, recommend the resolution to the Board
That's a +1 (non-binding)
Andrew
On 10/10/2012 12:00 PM, Andrea Pescetti wrote:
Seeing no objections to my last message, and keeping into account that
this list had been regularly informed about the steps Apache
OpenOffice was taking towards gr
Hi,
On Wed, Oct 10, 2012 at 1:24 AM, Steven Gill wrote:
> This is a call for vote to graduate the Cordova podling from Apache
> Incubator.
[x] +1 Graduate Cordova podling from Apache Incubator
(mentor)
BR,
Jukka Zitting
-
Hi,
On Wed, Oct 10, 2012 at 10:00 PM, Andrea Pescetti wrote:
> Seeing no objections to my last message, and keeping into account that this
> list had been regularly informed about the steps Apache OpenOffice was
> taking towards graduation, I'm hereby asking the IPMC to recommend the
> following
Hi,
On 9 October 2012 23:24, Steven Gill wrote:
> This is a call for vote to graduate the Cordova podling from Apache
> Incubator.
>
+1
Andrew.
--
asav...@apache.org / cont...@andrewsavory.com
http://www.andrewsavory.com/
On Wed, Oct 10, 2012 at 7:37 PM, kishore g wrote:
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
+1 (not binding)
Thanks,
Roman.
-
To unsubscr
Hi Craig,
just committed some changes to address those concerns:
- issues #1 and #2: added into NOTICE/LICENSE
- #3: that comment is most probably there because it is a minified version,
anyway, I've added the appropiate text in NOTICE
- #4: more or less, the same issue as #3. We contacted the
On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
> In my opinion, we have sufficient expertise here at the ASF to devise an
> authentication protocol whose reliability exceeds that of individuals
> participating unsupervised in a web of trust, particularly if the protocol
> were to incorporate ar
Hi,
On Wed, Oct 10, 2012 at 7:37 PM, kishore g wrote:
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
[x] +1, bring Helix into Incubator
BR,
Jukka Zitting
-
This is awesome! Unfortunately I (61D50B88) am not in the strong set.
Bummer. :(
On Wed, Oct 10, 2012 at 2:43 PM, Shane Curcuru wrote:
> Anyone interested in details of PGP signing and tracing trust paths at the
> ASF should say thank you to long-time member henkp who has done a ton of
> work do
Most people develop their own key signing policy and publish it. Or
organisations as a whole do, and ask their members to adhere to it.
Something which we might want to consider formalising.
On Wed, Oct 10, 2012 at 10:18 PM, Benson Margulies wrote:
> Just to be clear, I don't think I've ever sign
Just to be clear, I don't think I've ever signed a key in my life. In
part, because this criteria seem impossibly mushy.
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h
I've said it already in this thread, but I will say it one last time before
I drop it. Archiving video provides zero benefits, beyond the human to
human connection of seeing what somebody looks like. It provides no way to
establish identity or ownership of email/keys that email does not already
pro
On Wed, Oct 10, 2012 at 3:20 PM, Ted Dunning wrote:
>
> I have friends who live far away. I know them well. I don't know their
> key fingerprint.
>
> If we send emails or if we text back and forth I not clear that it is
> them. If I have a video conference and the hold up the fingerprint I kn
+1 (binding) -C
On Wed, Oct 10, 2012 at 9:37 AM, kishore g wrote:
> Hi,
>
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
>
> Please cast your vote:
>
> [ ] +1, bring Helix into Incubator
> [ ] +0, I don't care eit
On 10 October 2012 16:54, Rich Bowen wrote:
> The Incubator docs state:
>
> The website is published by checking out the content from SVN into the
> directory/www/incubator.apache.org/content/podlingname on people.apache.org.
>
> When I try to do this, I get
>
>> svn checkout https://svn.apache.o
Binding +1.
On Wed, Oct 10, 2012 at 1:32 PM, Ted Dunning wrote:
> +1 (binding)
>
> On Wed, Oct 10, 2012 at 9:37 AM, kishore g wrote:
>
>> Hi,
>>
>> I would like to call a vote for accepting Helix for incubation in the
>> Apache Incubator. I have pasted the full proposal below.
>>
>> Please cast
+1 (binding)
On Wed, Oct 10, 2012 at 9:37 AM, kishore g wrote:
> Hi,
>
> I would like to call a vote for accepting Helix for incubation in the
> Apache Incubator. I have pasted the full proposal below.
>
> Please cast your vote:
>
> [ ] +1, bring Helix into Incubator
> [ ] +0, I don't care eithe
Hi Juan Pablo,
The license update is looking very good. Thanks for pitching in and
doing all this heavy lifting!
I have some concerns with the files listed below.
1. The SilkIconSet images are licensed under CC-attribution 2.5
license. The NOTICE needs to accommodate the comment from the s
The proposal looks good.
Thanks
mahadev
On Oct 9, 2012, at 5:47 PM, kishore g wrote:
> Hello,
>
> The proposal is fixed http://wiki.apache.org/incubator/HelixProposal.
>
> We have also made the Github link public.
>
> Home Page: http://linkedin.github.com/helix/
> Github source: https://githu
Seeing no objections to my last message, and keeping into account that
this list had been regularly informed about the steps Apache OpenOffice
was taking towards graduation, I'm hereby asking the IPMC to recommend
the following resolution to the Board. Aim of the resolution is to
establish the
Hi Marvin,
> On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek wrote:
>> However, what would now be totally wrong IMO is, that some guys in the ASF
>> redefine these rules in order to make the process of release signing more
>> simple. In the WoT big picture, this would automatically mean that ev
On Sun, Oct 7, 2012 at 10:17 AM, Joe Stein wrote:
> I would like to keep the vote open for another few days to give the IPMC
> members time to review and vote, thanks.
Joe,
Could you update your gpg key:
* set it in id.apache.org
* get someone who knows you to sign it.
WIthout a signed key t
Just for completeness for building an understanding what I have been
capitalizing as the Apache Trust Chain:
1. There must also be understanding of the cert expiration and cert revocation
cases.
2. As a demonstration for how it all comes down to the Apache logon for
committers, consider the
Hi,
I would like to call a vote for accepting Helix for incubation in the
Apache Incubator. I have pasted the full proposal below.
Please cast your vote:
[ ] +1, bring Helix into Incubator
[ ] +0, I don't care either way,
[ ] -1, do not bring Helix into Incubator, because ...
This vote will be
+1
An Apache CA would also be handy for setting up code signing (the kind carried
in the code package and recognized by operating systems, not an external
signature of the kind being discussed here).
To clarify one aspect of the Apache Trust Chain.
It is not about email. It is about the publi
On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek wrote:
> However, what would now be totally wrong IMO is, that some guys in the ASF
> redefine these rules in order to make the process of release signing more
> simple. In the WoT big picture, this would automatically mean that every key
> that is
The Incubator docs state:
The website is published by checking out the content from SVN into the
directory/www/incubator.apache.org/content/podlingname on people.apache.org.
When I try to do this, I get
> svn checkout https://svn.apache.org/repos/asf/incubator/allura/site allura
svn: E13:
On Tue, Oct 9, 2012 at 4:24 AM, Andrea Pescetti wrote:
> The Apache OpenOffice PPMC and Community believe the project is ready to
> graduate to a Top Level Project.
>
> Multiple steps were taken in this direction, including:
> - Community vote to start graduation process: http://s.apache.org/e7F
>
On Wed, Oct 10, 2012 at 7:19 AM, Nick Kew wrote:
>
> On 10 Oct 2012, at 12:20, Benson Margulies wrote:
>
>> Nick: On the one hand, how is trusting the Apache process better or
>> worse than trusting the State of Massachusetts?
>
> When I sign a key I'm basing it on more information than that.
Exa
Hi Benson,
> A different angle.
>
> Noah asks me to sign his key.
>
> Noah tells me that he's committed it to KEYS for CloudStack in svn
> revision 314159.
>
> I examine that revision and see that it was made by, indeed, noah's
> Apache ID, which is associated with a particular email address.
>
On 10 Oct 2012, at 12:20, Benson Margulies wrote:
> Nick: On the one hand, how is trusting the Apache process better or
> worse than trusting the State of Massachusetts?
When I sign a key I'm basing it on more information than that.
Either it's a one-off, when I have additional knowledge of som
+1 binding
Regards,
Alan
On Oct 3, 2012, at 8:40 AM, Joe Stein wrote:
> Hello,
>
> Kafka Incubator has passed the vote for 0.7.2 RC5
> http://www.mail-archive.com/kafka-dev@incubator.apache.org/msg04980.html
>
> I would like to call a vote now from the IPMC.
>
> This is the fifth candidate f
On 10 October 2012 15:20, Ted Dunning wrote:
>
>
> Sent from my iPhone
>
> On Oct 10, 2012, at 2:47 AM, Noah Slater wrote:
>
> > Can you clarify? I understand that being able to speak to someone face to
> > face, and seeing their mannerisms and expressions, allows you to
> understand
> > them be
Sent from my iPhone
On Oct 10, 2012, at 2:47 AM, Noah Slater wrote:
> Can you clarify? I understand that being able to speak to someone face to
> face, and seeing their mannerisms and expressions, allows you to understand
> them better. Some deep rooted human thing. But how does this impact
>
Anyone interested in details of PGP signing and tracing trust paths at
the ASF should say thank you to long-time member henkp who has done a
ton of work documenting and verifying release signing and keys:
https://people.apache.org/~henkp/trust/
- Shane
On 10/8/2012 6:37 PM, Noah Slater wrot
Comments:
- For many people, ensuring that the human who holds a specific key is
the same one who has been using the j...@doe.foo email address and the
john...@apache.org SVN/GIT account over a period of time is what is most
important. Less important is ensuring that that human's legal name i
On Wed, Oct 10, 2012 at 6:52 AM, Nick Kew wrote:
>
> On 10 Oct 2012, at 11:25, Benson Margulies wrote:
>
>> I then feel that it's perfectly reasonable to sign a key that has two
>> things in it: the name Noah Slater and nsla...@apache.org, because if
>> this process doesn't verify an adequate asso
On 10 Oct 2012, at 11:25, Benson Margulies wrote:
> I then feel that it's perfectly reasonable to sign a key that has two
> things in it: the name Noah Slater and nsla...@apache.org, because if
> this process doesn't verify an adequate association, then no one can
> trust the Apache IP process, e
A different angle.
Noah asks me to sign his key.
Noah tells me that he's committed it to KEYS for CloudStack in svn
revision 314159.
I examine that revision and see that it was made by, indeed, noah's
Apache ID, which is associated with a particular email address.
I send email to secretary@, as
Can you clarify? I understand that being able to speak to someone face to
face, and seeing their mannerisms and expressions, allows you to understand
them better. Some deep rooted human thing. But how does this impact
security or trust, in the context of key signing?
On Wed, Oct 10, 2012 at 4:00 A
+1 (ipmc)
You Cordova guys did a great job, imho!
On Wed, Oct 10, 2012 at 12:32 AM, Steven Gill wrote:
> Argh! Thanks for the catch Dan. I was using the Isis vote thread as a
> template to create this one.
>
> Please cast your votes:
>
> [ ] +1 Graduate Cordova podling from Apache Incubator [ ]
67 matches
Mail list logo
