This is in addition to Conor's remarks. On Fri, 22 Oct 2004, Steve Loughran <[EMAIL PROTECTED]> wrote:
> The only way to secure it is one of > > 1. checksums to live on an http server you trust > 2. things to be signed by a CA you trust. things PGP signed by somebody you trust (or can build a chain of trust to). bouncycastle.org has Java APIs to PGP IIRC. > Also, can/should we declare ourselves a CA and sign all our ant > jars. I think we already have an ASF CA we used to create the cerificate for https access to the Subversion repo. I may be wrong, though. Setting up a "real" CA is under active consideration, we even already have some infrastructure pieces for it in Ben Laurie's bunker. We could create certificates for signing the jars with them. Personally I'm happy with PGP. A CA in the end has similar trust issues as a PGP key. Why should I trust the CA more than Antoine's or Magesh's PGP key? We certainly need a better web of trust. As many committers (or users for that matter) as possible should create PGP keys and use every opportunity to cross sign the keys of people they meet. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
