I generally import each project's KEYS file, and having been to a key signing party before at ApacheCon, I have a small web of trust to help verify those signatures. The more people sign each other's keys, the easier it is to verify.
On 14 June 2017 at 02:59, Jan Matèrne (jhm) <apa...@materne.de> wrote: > My first thought was 'I want to have all the stuff inside the distro.' > That means also the ASC. > But having the ASC inside the distro means letting the key on the lock ... > > So the 2nd thought was: how to verify the download? > - download > - hashvalue checksum > - pgp check > We could provide a howto file in the distro, but we also could provide a > build snippet for automating that. > a) provide the snippet via website and define an Ant property which > artifact to get > b) provide the snippet inside the distro and will only do the two checks > (getting the checksums directly from the ASF server) > > > Jan > > > > -----Ursprüngliche Nachricht----- > > Von: Stefan Bodewig [mailto:bode...@apache.org] > > Gesendet: Mittwoch, 14. Juni 2017 09:17 > > An: dev@ant.apache.org > > Betreff: Re: [VOTE] Release Compress Antlib 1.5 based on RC3 > > > > On 2017-06-13, Jan Matèrne (jhm) wrote: > > > > >> Should we include the PGP [e.g. 1] signature in the future? > > > > > Answer myself: should be only on ASF server, so people could trust > > > that ;) Maybe place a note (next time) how to check that (do we have > > a > > > build snippet for that?) > > > > I'm not exactly sure what you mean. > > > > Should I have included the PGP signature of any of the artifacts inside > > of the vote email? > > > > The vote email I've sent may have been a bit terse and I'm happy to > > improve on it. > > > > Stefan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional > > commands, e-mail: dev-h...@ant.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org > > -- Matt Sicker <boa...@gmail.com>
