This all makes sense to me. Many thanks for the feedback here. Cheers, -Rob
> On Jul 13, 2020, at 5:12 AM, Mark Thomas <ma...@apache.org> wrote: > > On 13/07/2020 06:43, Stefan Bodewig wrote: >> On 2020-07-12, Rob Tompkins wrote: >> >>> given the consistency of the signatures from the plugins…do we need to >>> check them for releases anymore? >> >> Yes, please. Not everybody uses the plugins and even if everybody did a >> misconfiguration could be pulling in the wrong key or a key not >> available from the expected download location. > > +1, for several reasons > > It also catches corrupted uploads. > > It is simpler to fix during a release vote than after a release where > we'd have to at least consider the possibility of malicious activity and > respond accordingly until we could prove it wasn't. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
