You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Robert Burrell Donkin <ro...@gmail.com> on 2007/10/27 12:41:18 UTC
Release Distribution Strategy
i'm starting to think about the mechanics of correctly distributing
releases and find some topics deserving of discussion
IMO the IPMC needs to think a little about the division of
responsibility between podling and IPMC in the final publication stage
of release distribution.
new releases need to be mirrored. setting up mirroring takes some work
but it's once only. the question is how much responsibility we want to
devolve to podlings for ensuring that this is done correctly.
jakarta uses XSLT to push out news of a release and update mirroring
code. with some effort it would be possible to create scripts that
automate quite a lot of the mirroring setup and update process for new
releases (plus cool stuff like pushing out news and updating the
website). this would give a uniform interface and make life much
easier for podlings but would be less educational.
i wonder about permissions for the distribution directories.
podling release managers are less likely to be well connected to the
apache web of trust. these signatures could be difficult to verify
later.
opinions?
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Craig L Russell <Cr...@Sun.COM>.
Hi,
Some background on the web of trust (wot) that ASF uses for signers
of code releases is at http://en.wikipedia.org/wiki/Web_of_trust
You correctly point out that the icla is a binding document in which
the party signing the document grants certain intellectual property
rights to the ASF. The signature on this document is not verified to
be the signature of a real person. It could be anyone. But whoever
signed the document and commits code under the name in the document
is assumed to have the authority to do so.
The wot is a different thing. It grants no authority and has no
inherent rights. The only thing it attempts to guarantee is that the
real person who is in the wot is the person who is responsible for
signing the releases.
The primary way the Apache wot is increased is at signing parties
usually but not necessarily conducted during ApacheCons. A signing
party can be held any time as long as there are two people who want
to confirm each others' identity and add to the wot. At least one of
the people at the signing party is already a member of the wot. If
only one, then the wot created at the party is connected to the
Apache wot via one or more "strands of trust" (I made that up).
Craig
On Oct 28, 2007, at 12:57 AM, Niclas Hedhman wrote:
> On Sunday 28 October 2007 06:24, Noel J. Bergman wrote:
>> Perhaps
>> we should add some information on getting into the Web of Trust,
>> although
>> that is really a general committer item, not Incubator specific.
>
> I am not very security fluent, and perhaps someone could explain to
> me;
>
> What is the difference of being an Apache committer/Member with the
> *signed*
> ICLA, which indeed is a legal document, and that other ASF folks
> has seen
> your driver's license (et al) and signed you into the web of trust?
>
> From my perspective, the latter is not legally binding and at the
> most act as
> some form of "someone has identified it to be a real person with that
> name"...
>
> FWIW, I think ASF should increase the efforts in the ASF Web of
> Trust, both
> getting more people engaged (like myself, I can't figure out the
> practical
> details on how to go about it) as well as tooling support for
> verifications.
>
>
> Cheers
> Niclas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On 10/29/07, Erik Abele <er...@codefaktor.de> wrote:
> On 29.10.2007, at 16:02, Niclas Hedhman wrote:
<snip>
> > Asking me to do something about it, is also asking at the wrong
> > end, since I
> > am a newbie at the topic and barely trust myself getting anything
> > right.
>
> Well, that's the way we operate - scratch your itch and so on... :)
+1
sometimes only energy is all that's really needed. passion goes a lot way.
> > I guess this is getting out of scope for Incubator...
maybe, maybe not - incubator has a role to play in developing best practice
> Aye, feel free to circle back to community@ - maybe someone has the
> same itch and comes up with something.
>
> Maybe https://issues.apache.org/jira/browse/INFRA-1387 is a start for
> solving some of your concerns?
>
> (Note the reference about automatically checking the md5 hashes in
> the report, I think that'd be a nice benefit of using something like
> that, as Joshua also pointed out.)
the automatic checking sounds good - probably worth taking a closer look at
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Erik Abele <er...@codefaktor.de>.
On 29.10.2007, at 16:02, Niclas Hedhman wrote:
> On Monday 29 October 2007 21:26, Erik Abele wrote:
>>> The process on the above page is beyond most users'
>>> imagination.
>>
>> As said, they probably don't even care otherwise they would know...
>
> I rest my case; If I don't care about routing tables in TCP/IP
> stacks, I don't
> need Internet, right?
Oh come on, if you don't know how to drive a car you probably
shouldn't drive one, right?
We're not talking about rocket science here, and fwiw, the majority
of the general users are simply not verifying any of their
downloads... also we're not talking about your mum (no pun
intended!), our user-base consists mostly of developers,
administrators, etc. and these people simply know how to do it,
please read Roberts examples.
We also have the MD5 hashes (incl. web-interface) which are more than
sufficient for the big masses who simply want to double-click...
> Asking me to do something about it, is also asking at the wrong
> end, since I
> am a newbie at the topic and barely trust myself getting anything
> right.
Well, that's the way we operate - scratch your itch and so on... :)
And fwiw, I was a newbie too but that doesn't prevent you from diving
in etc. I personally simply have no time and interest in this, though
I also don't object to improvements.
> I guess this is getting out of scope for Incubator...
Aye, feel free to circle back to community@ - maybe someone has the
same itch and comes up with something.
Maybe https://issues.apache.org/jira/browse/INFRA-1387 is a start for
solving some of your concerns?
(Note the reference about automatically checking the md5 hashes in
the report, I think that'd be a nice benefit of using something like
that, as Joshua also pointed out.)
Cheers,
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Monday 29 October 2007 21:26, Erik Abele wrote:
> > The process on the above page is beyond most users'
> > imagination.
>
> As said, they probably don't even care otherwise they would know...
I rest my case; If I don't care about routing tables in TCP/IP stacks, I don't
need Internet, right?
Asking me to do something about it, is also asking at the wrong end, since I
am a newbie at the topic and barely trust myself getting anything right.
I guess this is getting out of scope for Incubator...
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Erik Abele <er...@codefaktor.de>.
On 29.10.2007, at 13:49, Robert Burrell Donkin wrote:
> ...
> IMO this needs to be done at the protocol level to gain the required
> security (rather than just the appearance of security). if there's
> anyone around who's active on HTTP standards then now would be a great
> time to jump in...
And back to '94:
http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html
Or for a more recent effort:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200707.mbox/%
3C469F6075.2040409@buanzo.com.ar%3E
http://www.buanzo.com.ar/sec/enigform.en.html
http://freshmeat.net/articles/view/2599
HTH...
Cheers,
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On 10/29/07, Niclas Hedhman <ni...@hedhman.org> wrote:
> On Sunday 28 October 2007 23:15, Erik Abele wrote:
> > As BenL always says: "I don't give a shit about some random document,
> > that could be faked anyway. All I care about is the email address
> > connected to the key I intend to sign - is it really the address of
> > the person in question?".
>
> Ok, and if you don't know the individual in person, you put the trust in
> a "Driver's license" or similar... but doesn't really care how that 'trust'
> was established.
> I must be plain dumb, but I don't "get" why this provides any comfort to
> end-users, even if they manage to figure out what to do with the .ASCs (I bet
> a very small percentage do).
most users should check the hashes (not the signatures)
anyone who is not well-connected to the apache WOT gains only a little
security by using a signature and only that if they understand WOT
concepts pretty well. providing that release managers are well
connected to the apache WOT then two small (but very important) groups
of users typically fall into this category: apache members and
downstream release managers. that is why apache insists on them.
> And that is why I am asking for better tooling.
+1
IMO this needs to be done at the protocol level
> > See also http://wiki.apache.org/apachecon/PgpKeySigning
>
> Ok, it shows half the picture; How to sign the keys are left out...
see http://people.apache.org/~henkp/
> > > as well as tooling support for verifications.
> > http://httpd.apache.org/dev/verification.html
>
> Uhhhh, we probably have more than a million users. Do we expect them all to
> get a hook into the WOT ?? IMHO, there is something wrong with that
> picture...
no - but we do expect the apache infrastructure team to be
> Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and
> the MD5 of download??) and get a "Authenticated" or not response be done?? If
> that is too hard to automate, I don't think we ever will see any increase in
> user awareness. The process on the above page is beyond most users'
> imagination.
IMO this needs to be done at the protocol level to gain the required
security (rather than just the appearance of security). if there's
anyone around who's active on HTTP standards then now would be a great
time to jump in...
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by sebb <se...@gmail.com>.
On 29/10/2007, Gilles Scokart <gs...@gmail.com> wrote:
>
>
> > -----Original Message-----
> > From: sebb [mailto:sebbaz@gmail.com]
> >
> > Even if you can't establish a trust path, the PGP signature gives a
> > bit more assurance than a hash. The KEY file should be in SVN, so you
> > can ensure that the person that added the key to the KEY file was at
> > least a committer to SVN.
>
> That's only for the users who have https access to SVN (and who can reliably verify the SSH key of the server). The
> others have to assume that server from which they are reading the KEY file is the real one.
>
Strictly speaking, yes.
The KEY file can be downloaded without needing https access, but as
you point out, this is not necessarily a guarantee of authenticity.
However, it is one more obstacle that a hacker would have to surmount
- they would have to subvert the SVN host as well as the main apache
host holding the KEY file.
> Gilles
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Gilles Scokart <gs...@gmail.com>.
> -----Original Message-----
> From: sebb [mailto:sebbaz@gmail.com]
>
> Even if you can't establish a trust path, the PGP signature gives a
> bit more assurance than a hash. The KEY file should be in SVN, so you
> can ensure that the person that added the key to the KEY file was at
> least a committer to SVN.
That's only for the users who have https access to SVN (and who can reliably verify the SSH key of the server). The
others have to assume that server from which they are reading the KEY file is the real one.
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by sebb <se...@gmail.com>.
On 29/10/2007, Erik Abele <er...@codefaktor.de> wrote:
> On 29.10.2007, at 03:13, Niclas Hedhman wrote:
>
> > On Sunday 28 October 2007 23:15, Erik Abele wrote:
> >> As BenL always says: "I don't give a shit about some random document,
> >> that could be faked anyway. All I care about is the email address
> >> connected to the key I intend to sign - is it really the address of
> >> the person in question?".
> >
> > Ok, and if you don't know the individual in person, you put the
> > trust in
> > a "Driver's license" or similar... but doesn't really care how that
> > 'trust'
> > was established.
>
> There's a ton of interpretations and levels of trust out there; I
> suggest you consult Google for that.
>
> > I must be plain dumb, but I don't "get" why this provides any
> > comfort to
> > end-users, even if they manage to figure out what to do with
> > the .ASCs (I bet
> > a very small percentage do).
>
> Well, if you verify an ASF release it can show you two things:
>
> a) if the signature is good you know that the file has not been
> tampered with;
> it's the same as when the release was originally cut by the RM
> b) if you can establish a trust path to the signer of the file then
> you can be
> pretty sure that it's a legit release and not a faked one
Even if you can't establish a trust path, the PGP signature gives a
bit more assurance than a hash. The KEY file should be in SVN, so you
can ensure that the person that added the key to the KEY file was at
least a committer to SVN.
> Again, please see http://httpd.apache.org/dev/verification.html -
> especially the sections on "Checking Signatures" [a) above] and
> "Validating Authenticity of a Key" [b) above].
>
> Re small percentage: I doubt that most users even care; the majority
> probably won't even think about it :(
>
> > And that is why I am asking for better tooling.
>
> Ok, feel free to improve that :-)
>
> >> See also http://wiki.apache.org/apachecon/PgpKeySigning
> >
> > Ok, it shows half the picture; How to sign the keys are left out...
>
> See one of the billions of tutorials in Google, or simply "man
> gpg" (--sign-key or --edit-key).
>
> >>> as well as tooling support for verifications.
> >> http://httpd.apache.org/dev/verification.html
> >
> > Uhhhh, we probably have more than a million users. Do we expect
> > them all to
> > get a hook into the WOT ?? IMHO, there is something wrong with that
> > picture...
>
> The million users don't even care about all that - the ones who do
> will find a way to connect the dots or even get into the WOT (see
> examples provided by Robert).
>
> E.g. if I see that a release is signed by the key XYZ of S. Striker
> and I go and fetch that key from a public keyserver and take a look
> at the list of signatures, I'll find out that there a names like Roy
> T. Fielding, Jim Jagielski, and so on... now, when I compare the
> fingerprints and maybe also have a look at http://www.apache.org/dist/
> httpd/KEYS then I can be pretty sure that the release was made by an
> official member of the HTTPD PMC - that should be enough for Random
> Joe to feel comfortable...
>
> > Couldn't a simple; http://www.apache.org/verify where I put the ASC
> > file (and
> > the MD5 of download??) and get a "Authenticated" or not response be
> > done?? If
> > that is too hard to automate, I don't think we ever will see any
> > increase in
> > user awareness.
>
> http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5
> for you - it doesn't really make sense to have the same for PGP
> signatures IMHO.
>
> > The process on the above page is beyond most users'
> > imagination.
>
> As said, they probably don't even care otherwise they would know...
>
> Cheers,
> Erik
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Erik Abele <er...@codefaktor.de>.
On 29.10.2007, at 03:13, Niclas Hedhman wrote:
> On Sunday 28 October 2007 23:15, Erik Abele wrote:
>> As BenL always says: "I don't give a shit about some random document,
>> that could be faked anyway. All I care about is the email address
>> connected to the key I intend to sign - is it really the address of
>> the person in question?".
>
> Ok, and if you don't know the individual in person, you put the
> trust in
> a "Driver's license" or similar... but doesn't really care how that
> 'trust'
> was established.
There's a ton of interpretations and levels of trust out there; I
suggest you consult Google for that.
> I must be plain dumb, but I don't "get" why this provides any
> comfort to
> end-users, even if they manage to figure out what to do with
> the .ASCs (I bet
> a very small percentage do).
Well, if you verify an ASF release it can show you two things:
a) if the signature is good you know that the file has not been
tampered with;
it's the same as when the release was originally cut by the RM
b) if you can establish a trust path to the signer of the file then
you can be
pretty sure that it's a legit release and not a faked one
Again, please see http://httpd.apache.org/dev/verification.html -
especially the sections on "Checking Signatures" [a) above] and
"Validating Authenticity of a Key" [b) above].
Re small percentage: I doubt that most users even care; the majority
probably won't even think about it :(
> And that is why I am asking for better tooling.
Ok, feel free to improve that :-)
>> See also http://wiki.apache.org/apachecon/PgpKeySigning
>
> Ok, it shows half the picture; How to sign the keys are left out...
See one of the billions of tutorials in Google, or simply "man
gpg" (--sign-key or --edit-key).
>>> as well as tooling support for verifications.
>> http://httpd.apache.org/dev/verification.html
>
> Uhhhh, we probably have more than a million users. Do we expect
> them all to
> get a hook into the WOT ?? IMHO, there is something wrong with that
> picture...
The million users don't even care about all that - the ones who do
will find a way to connect the dots or even get into the WOT (see
examples provided by Robert).
E.g. if I see that a release is signed by the key XYZ of S. Striker
and I go and fetch that key from a public keyserver and take a look
at the list of signatures, I'll find out that there a names like Roy
T. Fielding, Jim Jagielski, and so on... now, when I compare the
fingerprints and maybe also have a look at http://www.apache.org/dist/
httpd/KEYS then I can be pretty sure that the release was made by an
official member of the HTTPD PMC - that should be enough for Random
Joe to feel comfortable...
> Couldn't a simple; http://www.apache.org/verify where I put the ASC
> file (and
> the MD5 of download??) and get a "Authenticated" or not response be
> done?? If
> that is too hard to automate, I don't think we ever will see any
> increase in
> user awareness.
http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5
for you - it doesn't really make sense to have the same for PGP
signatures IMHO.
> The process on the above page is beyond most users'
> imagination.
As said, they probably don't even care otherwise they would know...
Cheers,
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Sunday 28 October 2007 23:15, Erik Abele wrote:
> As BenL always says: "I don't give a shit about some random document,
> that could be faked anyway. All I care about is the email address
> connected to the key I intend to sign - is it really the address of
> the person in question?".
Ok, and if you don't know the individual in person, you put the trust in
a "Driver's license" or similar... but doesn't really care how that 'trust'
was established.
I must be plain dumb, but I don't "get" why this provides any comfort to
end-users, even if they manage to figure out what to do with the .ASCs (I bet
a very small percentage do).
And that is why I am asking for better tooling.
> See also http://wiki.apache.org/apachecon/PgpKeySigning
Ok, it shows half the picture; How to sign the keys are left out...
> > as well as tooling support for verifications.
> http://httpd.apache.org/dev/verification.html
Uhhhh, we probably have more than a million users. Do we expect them all to
get a hook into the WOT ?? IMHO, there is something wrong with that
picture...
Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and
the MD5 of download??) and get a "Authenticated" or not response be done?? If
that is too hard to automate, I don't think we ever will see any increase in
user awareness. The process on the above page is beyond most users'
imagination.
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On 10/28/07, Erik Abele <er...@codefaktor.de> wrote:
> On 28.10.2007, at 08:57, Niclas Hedhman wrote:
<snip>
> > as well as tooling support for verifications.
>
> http://httpd.apache.org/dev/verification.html
IMHO verification is too important to be left to users. perhaps HTTP
could be extended by a "3xx Mirrored" response. headers could return a
list of mirrors together with hashes, signatures and links to keys.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: ASF Web of Trust [was: Release Distribution Strategy]
Posted by Erik Abele <er...@codefaktor.de>.
On 28.10.2007, at 08:57, Niclas Hedhman wrote:
> On Sunday 28 October 2007 06:24, Noel J. Bergman wrote:
>> Perhaps
>> we should add some information on getting into the Web of Trust,
>> although
>> that is really a general committer item, not Incubator specific.
>
> I am not very security fluent, and perhaps someone could explain to
> me;
>
> What is the difference of being an Apache committer/Member with the
> *signed*
> ICLA, which indeed is a legal document, and that other ASF folks
> has seen
> your driver's license (et al) and signed you into the web of trust?
Um, these two things are totally unrelated.
> From my perspective, the latter is not legally binding and at the
> most act as
> some form of "someone has identified it to be a real person with that
> name"...
Aye, given that you trust the government-issued doc (like a drivers
license)...
As BenL always says: "I don't give a shit about some random document,
that could be faked anyway. All I care about is the email address
connected to the key I intend to sign - is it really the address of
the person in question?".
> FWIW, I think ASF should increase the efforts in the ASF Web of
> Trust, both
> getting more people engaged (like myself, I can't figure out the
> practical
> details on how to go about it)
Get a key, print the fingerprint and come to an AC and let it sign by
some other folks - that's it.
See also http://wiki.apache.org/apachecon/PgpKeySigning
> as well as tooling support for verifications.
http://httpd.apache.org/dev/verification.html
Cheers,
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
ASF Web of Trust [was: Release Distribution Strategy]
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Sunday 28 October 2007 06:24, Noel J. Bergman wrote:
> Perhaps
> we should add some information on getting into the Web of Trust, although
> that is really a general committer item, not Incubator specific.
I am not very security fluent, and perhaps someone could explain to me;
What is the difference of being an Apache committer/Member with the *signed*
ICLA, which indeed is a legal document, and that other ASF folks has seen
your driver's license (et al) and signed you into the web of trust?
From my perspective, the latter is not legally binding and at the most act as
some form of "someone has identified it to be a real person with that
name"...
FWIW, I think ASF should increase the efforts in the ASF Web of Trust, both
getting more people engaged (like myself, I can't figure out the practical
details on how to go about it) as well as tooling support for verifications.
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: Release Distribution Strategy
Posted by "Noel J. Bergman" <no...@devtech.com>.
Robert Burrell Donkin wrote:
> IMO the IPMC needs to think a little about the division of
> responsibility between podling and IPMC in the final
> publication stage of release distribution.
> new releases need to be mirrored. setting up mirroring takes some work
> but it's once only. the question is how much responsibility we want to
> devolve to podlings for ensuring that this is done correctly.
We can make sure that they know where the docs are, and that the Mentors
oversee the process or perform it if necessary.
> with some effort it would be possible to create scripts that
> automate quite a lot of the mirroring setup and update process
> for new releases (plus cool stuff like pushing out news and
> updating the website). this would give a uniform interface and
> make life much easier for podlings but would be less educational.
That'd be great, if someone has the time.
> podling release managers are less likely to be well connected to the
> apache web of trust. these signatures could be difficult to verify
> later.
Perhaps we ought to ask that a Mentor sign release artifacts during
Incubation, which also means that they should have reviewed them? Perhaps
we should add some information on getting into the Web of Trust, although
that is really a general committer item, not Incubator specific.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org