FAQ
Hi,

I'm the Debian maintainer of Hadoop, HBase and ZooKeeper. It's an issue for
me, that the gpg keys used to sign the releases of these projects are normally
not signed by anyone.
So it is the same as if the releases would not be signed at all.

Therefor I'd kindly like to ask you to offer a key signing party[1] at Hadoop
World. Unfortunately I'm from Switzerland and can't come to Hadoop World,
otherwise I'd have offered my assistance.

[1] http://en.wikipedia.org/wiki/Key_signing_party

Best regards,

Thomas Koch, http://www.koch.ro

Search Discussions

  • Owen O'Malley at Sep 16, 2010 at 3:38 pm

    On Thu, Sep 16, 2010 at 12:33 AM, Thomas Koch wrote:

    I'm the Debian maintainer of Hadoop, HBase and ZooKeeper. It's an issue for
    me, that the gpg keys used to sign the releases of these projects are normally
    not signed by anyone.
    So it is the same as if the releases would not be signed at all.
    That has bothered me too. Since all of the developers who have rolled
    the releases are all in the Bay Area we should just use the upcoming
    HDFS & MapReduce contributor meeting to do this. That will at least
    show we trust each other. *grin* If there is a key signing party at
    Apache World, we can get into the larger Apache web of trust.

    In terms of getting into your web of trust, I'll contact you off list
    so that you can sign my key. For the record, my key is 3D0C92B9, which
    is visible in http://svn.apache.org/repos/asf/hadoop/common/dist/KEYS
    and the MIT key servers.
    Therefor I'd kindly like to ask you to offer a key signing party[1] at Hadoop
    World. Unfortunately I'm from Switzerland and can't come to Hadoop World,
    otherwise I'd have offered my assistance.
    Let's get it done before then.

    -- Owen
  • Isabel Drost at Sep 19, 2010 at 9:04 pm

    On 16.09.2010 Owen O'Malley wrote:
    show we trust each other. *grin* If there is a key signing party at
    Apache World, we can get into the larger Apache web of trust.
    Apache World? Do you mean Hadoop World or Apache Con NA? As for the latter one,
    there usually is a key signing party at Apache Cons, so getting the Hadoop devs'
    keys signed by other Apache committers shouldn't be a huge problem.

    Isabel
  • Owen O'Malley at Sep 19, 2010 at 9:28 pm
    I meant ApacheCon, which with a few key signatures will tie us into the Apache web of trust. I got my key signed by a Debian committer last week and many of us will cross sign our keys at the Hadoop contributors meeting this week.

    -- Owen

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgeneral @
categorieshadoop
postedSep 16, '10 at 7:34a
activeSep 19, '10 at 9:28p
posts4
users4
websitehadoop.apache.org
irc#hadoop

People

Translate

site design / logo © 2022 Grokbase