William A. Rowe, Jr. wrote:
Henning Schmiedehausen wrote:
So you assume that that www.apache.org can not be hacked? What if a
signing key *IS* in KEYS but not signed by anyone (because the developer
has never attended an Apache key signing event)?
No, I answered your question.
W.r.t. www.apache.org/dist/{tlp}/KEYS, we have a serious issue to address,
because it's not https: accessible so cannot be trusted. Yes, it's quite
possible to fetch https://svn.apache.org/repos/asf/{tlp}/{code}/trunk/KEYS
but that's not what we suggest, and suboptimal to boot.
Open an infrastructure JIRA ticket and I'll figure out getting https://
on www.apache.org sooner or later.
Thanks,
Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
