On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote: >> On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: >> > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> >> The only reason I suggested including the sigs in the source distro is >> >> because a source build like Apache ServiceMix depends on hundreds of >> >> third party dependencies.. so an end user would need to end up >> >> trusting LOTs different signatures to get ServiceMix to build. >> >> >> >> It would be easier if the end user could just trust the Apache source >> >> distro and also transitively trust the signatures that we trust for >> >> our dependencies. >> >> >> > >> >> I actually meant to say include the pub key for the dependency in the >> source distro. > > How do you validate that the pub key presented to you is genuine? What > you currently proposing is > > src-artifact <- signed with A's privkey, validated with A's pubkey > > A's pubkey is inside src-artifact.
NO I'm not. I'm saying that A artifact has 100 dependencies by say 30 different signers.. we include those 30 pub keys in the src-artifact. NOT the A key! You have to validate the A source distro the same way you would validate an ANT based build source distro today. -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
