Hi Gary,
On 10.11.2025 14:55, Gary Gregory wrote:
> On Mon, Nov 10, 2025 at 8:22 AM Piotr P. Karwasz
> <[email protected]> wrote:
>> Since your key is effectively the authoritative one for Commons, I’d
>> expect at least the following steps:
>>
>> - Signing the new key with your old key (86fdc7e2a11262cb),
>
> There is a discussion in the page above "for and against signing the
> old key with the new".
> You're suggesting the opposite? I did neither.
The page you linked also instructs to sign the *new* key with the *old*
one ("Trust the new key" section [1]), but the HTML is malformed:
<h/3 id="sign-new-key">Use the old key to sign the new key
>> Is there an established procedure for signing code-signing keys?
>
> See https://infra.apache.org/key-transition.html#wot
That’s the main issue with the PGP Web of Trust: it recommends security
practices so strict that, in reality, almost nobody follows them, and
people end up relying on Trust On First Use instead.
Personally, I’m not interested in verifying the legal identity of any
PMC member. What matters more to me is a practical verification that the
new key:
- Was added by someone who has access to the corresponding ASF account
(as evidenced by the SVN log, for example),
- And has some continuity with a previous key: for instance, access to a
GPG key that was used to sign commits or releases in the past. It’s
easy to add a new GPG key to your ASF account, but it’s hard to use
one retroactively. ;-)
Piotr
[1] https://infra.apache.org/key-transition.html#trust-new-key
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]