Looking for GPG key signers in Boston area

["Eric Friedrich (efriedri)" <ef...@cisco.com>]

Apologies for this slightly unorthodox use of the mailer. 

I’m in the process of preparing a release for the Traffic Control podling. As the RM, I have to use my GPG key to sign the release. 

However, my GPG key is not yet tied into the web of trust and we cannot pass the vote because of this. 

Is there anyone in the Boston area (preferably South or metro-west) that would be willing to meet and verify my key ownership? 

Thanks!
Eric

Re: Looking for GPG key signers in Boston area

[Jim Apple <jb...@cloudera.com>]

<http://www.apache.org/dev/release-distribution.html#sigs-and-sums>

"Signing keys SHOULD be linked into a strong web of trust."

On Mon, Jun 19, 2017 at 10:29 AM, John D. Ament <jo...@apache.org> wrote:
> Is there a guide you're getting that from?  When I look at [1] it seems we
> trust the public registries, so nothing else should be needed.
>
> John
>
> [1]: https://www.apache.org/info/verification.html
>
>
> On Mon, Jun 19, 2017 at 1:28 PM Eric Friedrich (efriedri) <
> efriedri@cisco.com> wrote:
>
>> Thanks John-
>>   My key is already listed there and is present in the KEYS file as well.
>>
>> Doesn’t the key also need to be verified by others at Apache to be
>> considered valid?
>>
>> —Eric
>>
>> > On Jun 19, 2017, at 1:12 PM, John D. Ament <jo...@apache.org>
>> wrote:
>> >
>> > I think all you have to do is upload it via https://pgp.mit.edu/
>> ...........
>> >
>> > John
>> >
>> > On Mon, Jun 19, 2017 at 1:11 PM Eric Friedrich (efriedri) <
>> > efriedri@cisco.com> wrote:
>> >
>> >> Apologies for this slightly unorthodox use of the mailer.
>> >>
>> >> I’m in the process of preparing a release for the Traffic Control
>> podling.
>> >> As the RM, I have to use my GPG key to sign the release.
>> >>
>> >> However, my GPG key is not yet tied into the web of trust and we cannot
>> >> pass the vote because of this.
>> >>
>> >> Is there anyone in the Boston area (preferably South or metro-west) that
>> >> would be willing to meet and verify my key ownership?
>> >>
>> >> Thanks!
>> >> Eric
>> >>
>> >>
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Looking for GPG key signers in Boston area

["John D. Ament" <jo...@apache.org>]

Is there a guide you're getting that from?  When I look at [1] it seems we
trust the public registries, so nothing else should be needed.

John

[1]: https://www.apache.org/info/verification.html


On Mon, Jun 19, 2017 at 1:28 PM Eric Friedrich (efriedri) <
efriedri@cisco.com> wrote:

> Thanks John-
>   My key is already listed there and is present in the KEYS file as well.
>
> Doesn’t the key also need to be verified by others at Apache to be
> considered valid?
>
> —Eric
>
> > On Jun 19, 2017, at 1:12 PM, John D. Ament <jo...@apache.org>
> wrote:
> >
> > I think all you have to do is upload it via https://pgp.mit.edu/
> ...........
> >
> > John
> >
> > On Mon, Jun 19, 2017 at 1:11 PM Eric Friedrich (efriedri) <
> > efriedri@cisco.com> wrote:
> >
> >> Apologies for this slightly unorthodox use of the mailer.
> >>
> >> I’m in the process of preparing a release for the Traffic Control
> podling.
> >> As the RM, I have to use my GPG key to sign the release.
> >>
> >> However, my GPG key is not yet tied into the web of trust and we cannot
> >> pass the vote because of this.
> >>
> >> Is there anyone in the Boston area (preferably South or metro-west) that
> >> would be willing to meet and verify my key ownership?
> >>
> >> Thanks!
> >> Eric
> >>
> >>
>
>

Re: Looking for GPG key signers in Boston area

["Eric Friedrich (efriedri)" <ef...@cisco.com>]

Thanks John-
  My key is already listed there and is present in the KEYS file as well. 

Doesn’t the key also need to be verified by others at Apache to be considered valid?

—Eric

> On Jun 19, 2017, at 1:12 PM, John D. Ament <jo...@apache.org> wrote:
> 
> I think all you have to do is upload it via https://pgp.mit.edu/ ...........
> 
> John
> 
> On Mon, Jun 19, 2017 at 1:11 PM Eric Friedrich (efriedri) <
> efriedri@cisco.com> wrote:
> 
>> Apologies for this slightly unorthodox use of the mailer.
>> 
>> I’m in the process of preparing a release for the Traffic Control podling.
>> As the RM, I have to use my GPG key to sign the release.
>> 
>> However, my GPG key is not yet tied into the web of trust and we cannot
>> pass the vote because of this.
>> 
>> Is there anyone in the Boston area (preferably South or metro-west) that
>> would be willing to meet and verify my key ownership?
>> 
>> Thanks!
>> Eric
>> 
>> 

Re: Looking for GPG key signers in Boston area

["John D. Ament" <jo...@apache.org>]

I think all you have to do is upload it via https://pgp.mit.edu/ ...........

John

On Mon, Jun 19, 2017 at 1:11 PM Eric Friedrich (efriedri) <
efriedri@cisco.com> wrote:

> Apologies for this slightly unorthodox use of the mailer.
>
> I’m in the process of preparing a release for the Traffic Control podling.
> As the RM, I have to use my GPG key to sign the release.
>
> However, my GPG key is not yet tied into the web of trust and we cannot
> pass the vote because of this.
>
> Is there anyone in the Boston area (preferably South or metro-west) that
> would be willing to meet and verify my key ownership?
>
> Thanks!
> Eric
>
>

Re: Looking for GPG key signers in Boston area

[Bertrand Delacretaz <bd...@codeconsult.ch>]

On Mon, Jun 19, 2017 at 11:11 PM, Nick Kew <ni...@apache.org> wrote:
> ...You should indeed collect some signatures....

Indeed - the "Web of Trust" section of
https://www.apache.org/dev/release-signing.html has more info on
getting your key signed by others.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: Looking for GPG key signers in Boston area

[Nick Kew <ni...@apache.org>]

On Mon, 2017-06-19 at 17:11 +0000, Eric Friedrich (efriedri) wrote:
> Apologies for this slightly unorthodox use of the mailer. 
> 
> I’m in the process of preparing a release for the Traffic Control podling. As the RM, I have to use my GPG key to sign the release. 
> 
> However, my GPG key is not yet tied into the web of trust and we cannot pass the vote because of this. 

You should indeed collect some signatures.  They don't have to be
Apache folks: there are a lot of techies in the Boston area, and
I daresay the PGP strong set has a strong presence there, from the
academic communities of MIT and Harvard to your own company.

Within Apache, take a look at the committer map at
people.apache.org to find Apache folks in your area.

-- 
Nick Kew


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org