Hi, On Tue, Jun 28, 2011 at 10:29 AM, Bertrand Delacretaz <bdelacre...@apache.org> wrote: > Hence the need for people to download KEYS files from an *.apache.org > domain that we do control. Putting KEYS in a distribution might cause > people to use them instead of getting them from a trusted source, and > that's bad.
The keys should be included in the web of trust, so it shouldn't matter from where a user gets the keys. Without the web of trust, the PGP signatures are just a rather elaborate version of the MD5 and SHA1 checksums we also provide. Of course, without being included in the web of trust, the best a user can do is to get at least one of the keys from a trusted source. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
