So you assume that that www.apache.org can not be hacked? What if a
signing key *IS* in KEYS but not signed by anyone (because the developer
has never attended an Apache key signing event)?
Ciao
Henning
On Wed, 2008-09-24 at 00:36 -0500, William A. Rowe, Jr. wrote:
> Henning Schmiedehausen wrote:
> >
> > How do you validate that the pub key presented to you is genuine?
>
> Every project worth it's salt has a www.apache.org/dist/{tlp}/KEYS
> file which contain that project's contributors signatures, countersigned
> or not. Ideally, they are extensively countersigned. But in some cases
> they are not.
>
> The delta is; are you trusting www.apache.org/dist/{tlp}/KEYS? Or are
> you trusting www.friendlyname.zz/mirrors/apache/dist/{tlp}/KEYS? There's
> a pretty major difference :)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
